US20050138355A1 - System, method and devices for authentication in a wireless local area network (WLAN) - Google Patents

System, method and devices for authentication in a wireless local area network (WLAN) Download PDF

Info

Publication number
US20050138355A1
US20050138355A1 US10/741,408 US74140803A US2005138355A1 US 20050138355 A1 US20050138355 A1 US 20050138355A1 US 74140803 A US74140803 A US 74140803A US 2005138355 A1 US2005138355 A1 US 2005138355A1
Authority
US
United States
Prior art keywords
wlan
cdma2000
challenge
response
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/741,408
Inventor
Lidong Chen
Rajesh Pazhyannur
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Motorola Solutions Inc
Original Assignee
Motorola Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc filed Critical Motorola Inc
Priority to US10/741,408 priority Critical patent/US20050138355A1/en
Assigned to MOTOROLA, INC. reassignment MOTOROLA, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHEN, LIDONG, PAZHYANNUR, RAJESH S.
Priority to KR1020067011997A priority patent/KR20060123345A/en
Priority to PCT/US2004/041075 priority patent/WO2005065132A2/en
Priority to BRPI0417840-8A priority patent/BRPI0417840A/en
Priority to JP2006545742A priority patent/JP2007522695A/en
Priority to RU2006126074/09A priority patent/RU2006126074A/en
Priority to CNA2004800375952A priority patent/CN101120534A/en
Publication of US20050138355A1 publication Critical patent/US20050138355A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • This disclosure relates generally to wireless local area network (WLAN) authentication, and more specifically to reusing CDMA2000 credentials to authenticate WLAN devices.
  • WLAN wireless local area network
  • GSM Global System for Mobile Communications
  • IETF Internet Engineering Task Force
  • 3GPP Third Generation Partnership Project
  • EAP Extensible Authentication Protocol
  • SIM GSM Subscriber Identity Module
  • the EAP/SIM mechanism cannot be applied to using CDMA2000 credentials to authenticate WLAN devices.
  • the main difficulty is that, in CDMA2000 networks, the home location register authentication center (HLR/AC) is more involved in the steps of the authentication process. CDMA2000 HLR/AC participation is even more pronounced when a second level of key, called shared secret data (SSD), is not shared with a CDMA2000 serving network in accordance with a CDMA2000 network operator's policy.
  • SSD shared secret data
  • No authentication vectors (triplets), such as those available in GSM, can be provided to a CDMA2000 serving network to derive WLAN security parameters.
  • the CDMA2000 and WLAN authentication processes use different functions to generate keys, different packet and frame structures, and different encryption methodologies.
  • FIG. 1 is a functional block diagram of a system that uses CDMA2000 credentials for authentication of a CDMA2000 wireless communication device and also for authentication of a WLAN wireless communication device.
  • FIG. 2 is a flowchart showing a WLAN device authentication process in a WLAN network according to a preferred embodiment.
  • FIG. 3 is a flowchart showing details of performing and verifying a CDMA2000 global challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 .
  • FIG. 4 is a flowchart showing details of performing and verifying a CDMA2000 unique challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 .
  • FIG. 5 is a flowchart showing details of deriving and using a WLAN master key according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 .
  • FIG. 6 is a flowchart showing details of WLAN network authentication of a WLAN device using a derived WLAN master key.
  • FIG. 7 is a flowchart showing a WLAN device authentication process in a WLAN device according to a preferred embodiment.
  • FIG. 8 is a functional block diagram of a WLAN device 800 according to a preferred embodiment.
  • FIG. 9 is a flowchart showing a process for converting CDMA2000 authentication protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000.
  • EAP Extensible Authentication Protocol
  • FIG. 10 is a flowchart showing a process for a shared secret data (SSD) update, with a WLAN server converting an SSD update protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000.
  • SSD shared secret data
  • EAP Extensible Authentication Protocol
  • a system for authentication in a wireless local area network includes a CDMA2000 authentication center for authenticating CDMA2000 credentials, a WLAN authentication server coupled to the cellular authentication center for using the CDMA2000 credentials to authenticate WLAN devices holding CDMA2000 credentials, and at least one WLAN device holding CDMA2000 credentials coupled to the WLAN authentication server.
  • the WLAN server performs a CDMA2000 global challenge and response as well as a CDMA2000 unique challenge and response with a WLAN device holding CDMA2000 credentials in order to obtain a CDMA2000 encryption key.
  • the WLAN server derives a master key from the CDMA2000 encryption key and uses the master key to perform a WLAN challenge and response with the WLAN device. If the WLAN challenge and response is successful, the WLAN server derives session keys from the master key and delivers the session keys to a WLAN access point to protect communications between the WLAN access point and the WLAN device.
  • the WLAN server uses an extension of Extensible Authentication Protocol (EAP) to facilitate communications between the CDMA2000 authentication center and a WLAN device.
  • the WLAN device has a wireless transceiver and includes a CDMA2000 user identifier module (UIM) for storing CDMA2000 credentials and generating a CDMA2000 encryption key, a random number generator coupled to a transceiver, WLAN authentication module, and session key derivation module for generating a random challenge, a master key generation module coupled to the UIM for deriving a WLAN master key from the CDMA2000 encryption key, a WLAN authentication module coupled to the master key generation module and the wireless transceiver for responding to a challenge from a WLAN server, a session key derivation module coupled to the WLAN authentication module and the master key generation module to derive session keys from the master key, and a communication protection module coupled to the session key derivation module and the wireless transceiver to apply protection to WLAN data using the session keys.
  • UIM CDMA2000 user identifier module
  • FIG. 1 is a functional block diagram of a system 100 that uses CDMA2000 credentials 110 for authentication of a CDMA2000 wireless communication device 120 and also for authentication of a WLAN wireless communication device 130 .
  • Each CDMA2000 subscriber unit 120 such as a cellular telephone or personal digital assistant with wireless CDMA2000 transceiver, makes use of a User Identity Module (UIM) that contains CDMA2000 credentials 110 .
  • UIM User Identity Module
  • R-UIM Removable UIM
  • These CDMA2000 credentials 110 are used by the CDMA2000 wireless communication device 120 when communicating through a wireless connection 125 to a CDMA2000 base station 160 .
  • the wireless connection 125 uses the CDMA2000 air interface protocol, which is backwards compatible with ANSI-95. If the base station 160 communicates through connection 165 with a CDMA2000 visitor location register (VLR) 170 using a protocol such as CDMA2000 A, the VLR will query a CDMA2000 home location register authentication center (HLR/AC) 190 over communication connection 175 during the process of authenticating the wireless communication device 120 .
  • the communication connection 175 preferably uses ANSI-41 protocols.
  • a WLAN subscriber unit 130 uses the same CDMA2000 credentials 110 used to authenticate the CDMA2000 subscriber device 120 .
  • These CDMA2000 credentials 110 are used by the WLAN wireless communication device 130 when communicating through wireless connection 135 to a WLAN access point 140 .
  • the wireless connection 135 uses an IEEE Wireless protocol, such as IEEE 802.11.
  • the WLAN access point 140 is connected to a WLAN Authentication (AAA) server 150 through communication connection 145 , which preferably uses a Wired Network protocol.
  • the WLAN AAA server 150 uses a communication connection 155 to verify the CDMA2000 credentials of the WLAN wireless communication device 130 with the CDMA2000 HLR/AC 190 .
  • the communication connection 155 preferably uses ANSI-41 protocols.
  • a benefit of using the same CDMA2000 credentials 110 to authenticate both CDMA2000 access and WLAN access is that a network operator can more easily integrate WLAN services into existing CDMA2000 infrastructure.
  • a user of CDMA2000 and WLAN services can receive a uniform bill for both the CDMA2000 and the WLAN services.
  • FIG. 2 is a flowchart 200 showing a WLAN device authentication process in a WLAN network according to a preferred embodiment.
  • This authentication process uses CDMA2000 credentials, such as CDMA2000 credentials 110 shown in FIG. 1 , to verify a WLAN device, such as the WLAN subscriber unit 130 shown in FIG. 1 . Additionally, the WLAN device verifies the WLAN network.
  • the authentication process preferably is implemented as a network protocol with a WLAN server such as the WLAN AAA server 150 shown in FIG. 1 .
  • Step 201 starts the WLAN device authentication process at the WLAN network.
  • the start step 201 can be initiated by receiving an access request from a WLAN device.
  • the access request includes an identifier of the WLAN device, a WLAN subscription identifier (W-ID), and a 128 bit random number RANDreq.
  • the RANDreq is a random challenge to the WLAN network that will be used to verify the WLAN network after a valid master key is confirmed for the WLAN device.
  • Other information such as a CDMA2000 subscription identity (M-ID) may also be included in the access request from a WLAN device.
  • the start step 201 can be initiated by the WLAN network re-authenticating a WLAN device already on the WLAN network.
  • a WLAN network will re-authenticate WLAN devices periodically as determined by the network operator.
  • Re-authentication triggers can depend on the passage of time, a request or requirement to update the master or session key(s), CDMA2000 authentication center-triggered SSD update, as well as dynamic network conditions such as network traffic and available bandwidth.
  • Step 210 checks whether a valid master key already exists for authenticating the WLAN device.
  • a valid master key implies that there is a master key stored in the WLAN server for the device and the server considers the key as being properly up-to-date. If a valid master key exists, the WLAN device is authenticated through steps 237 , 238 , 239 , and 240 , and the process ends in step 299 . Details regarding the authentication steps are below. If a valid master key already exists, there is no need for the WLAN network to communicate with a CDMA2000 authentication center, which results in no negative impact on network traffic. A valid master key may already exist because, for example, the WLAN device has recently been authenticated.
  • the authentication process would start in step 201 but the master key would still be valid for that WLAN device.
  • Another situation where there may be a pre-existing valid master key is when the device has no CDMA2000 subscription but only a WLAN subscription. In this case, the master key is the only key for WLAN authentication. It can be installed at the time of subscription activation.
  • the WLAN network will perform a CDMA2000 global challenge and response with the WLAN device in step 213 .
  • a valid master key may not exist because, for example, the WLAN device has not previously been authenticated with the WLAN network, or because the master key has been invalidated or expired.
  • Step 216 verifies the CDMA2000 global challenge and response between the WLAN device and the WLAN network. Details regarding step 216 , which depend on whether SSD is shared or not shared with the WLAN serving network, are shown in FIG. 3 . If the CDMA2000 global challenge and response are not validated in step 220 , the WLAN network sends an “authentication failed” message to the WLAN device in step 250 and the authentication process ends in step 299 . If the CDMA2000 global challenge and response are valid in step 220 , the WLAN network will perform a CDMA2000 unique challenge and response with the WLAN device in step 223 .
  • Step 226 verifies the CDMA2000 unique challenge and response between the WLAN device and the WLAN network. If the response to the CDMA2000 unique challenge is not valid in step 230 , the WLAN network sends an “authentication failed” message to the WLAN device in step 250 and the authentication process ends in step 299 . If step 230 determines that the CDMA2000 unique challenge and response are valid, the WLAN network obtains a CDMA2000 encryption key in step 233 .
  • the WLAN network may receive the CDMA2000 encryption key from the CDMA2000 authentication center or the WLAN network may generate the CDMA2000 encryption key.
  • the CDMA2000 encryption key is a signal encryption key (SMEKEY) that is conventionally generated by a CDMA2000 network for signal encryption.
  • SMEKEY is re-deployed for use as WLAN key material for generating a master key.
  • the WLAN network If SSD sharing is allowed with the WLAN network, the WLAN network generates a CDMA2000 encryption key from a shared 64-bit SSD-B key for the WLAN device. Otherwise, if SSD sharing is not allowed with the WLAN network, the WLAN network receives a CDMA2000 encryption key from the CDMA2000 authentication center. Preferably, the CDMA2000 authentication center automatically generates and sends the encryption key upon successful validation of the WLAN device's response to the CDMA2000 unique challenge in step 226 and step 230 .
  • step 234 the WLAN network derives a master key from the CDMA2000 encryption key for use when communicating with the WLAN device.
  • step 540 and the accompanying text describe details of deriving the master key.
  • the UIM in the WLAN device also generates a CDMA2000 encryption key.
  • the WLAN device derives a master key from the encryption key using the same methodology as described for the WLAN network master key. See FIG. 7 and accompanying text. Now both the WLAN device and the WLAN network hold a master key derived from the same CDMA encryption key (SMEKEY).
  • the WLAN network can compute a response to the random challenge RANDreq received in step 201 .
  • FIG. 5 and the accompanying text describe details of computing a response to the random challenge RANDreq.
  • the WLAN network and the WLAN device perform a WLAN challenge and response authentication.
  • FIG. 6 provides more detail regarding the WLAN challenge and response authentication in step 237 .
  • the WLAN network verifies the response from the WLAN device by using the master key in step 238 .
  • An invalid response as determined in step 239 will lead to sending an “authentication failed” message to the WLAN device in step 250 and the end of the protocol in step 299 .
  • a valid response as determined in step 239 implies a successful authentication and will lead to step 240 .
  • step 240 the WLAN network uses its master key to derive session keys.
  • step 570 and the related text describe details of deriving session keys.
  • the WLAN device authentication process is successful and ends in step 299 .
  • the session keys are generated, they are used to protect communications between the WLAN access point and the WLAN device.
  • the process shown in FIG. 2 enables the generation of a valid master key which in turn is used to perform WLAN authentication without the need for the WLAN server to communicate with the CDMA2000 authentication center. See also FIG. 6 and accompanying text, which details the WLAN authentication process.
  • the WLAN device can be authenticated by a WLAN master key without communicating with a CDMA2000 HLR/AC such that adding WLAN service would not increase network traffic significantly. If a CDMA2000 authentication center allows sharing of shared secret data (SSD) with the WLAN network, network traffic can be reduced further. Otherwise, the WLAN network will need to communicate with the CDMA2000 authentication center when generating or updating a WLAN master key.
  • SSD shared secret data
  • FIG. 3 is a flowchart 300 showing details of performing and verifying a CDMA2000 global challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 . Essentially, the flowchart 300 provides details for step 213 and step 216 shown in FIG. 2 .
  • Step 310 generates a CDMA2000 global challenge.
  • step 320 sends the CDMA2000 global challenge to the WLAN device.
  • the WLAN network formats the CDMA2000 global challenge according to an EAP/CDMA2000 protocol, which is a CDMA2000 extension of the EAP protocol. See FIG. 9 and accompanying text for more detail regarding the EAP/CDMA2000 protocol.
  • the WLAN network receives from the WLAN device a response to the CDMA2000 global challenge. Steps 310 , 320 , and 330 form details of step 213 shown in FIG. 2 .
  • step 350 determines whether SSD sharing is allowed with the WLAN network. If SSD is not shared, the WLAN network sends the CDMA2000 global challenge and the WLAN device's response to the appropriate CDMA2000 authentication center along with the WLAN device's CDMA2000 subscription identity (M-ID) in step 360 . Preferably, communications between the WLAN network and the CDMA2000 authentication center are formatted according to the ANSI-41 protocol. The WLAN network then receives a response from the CDMA authentication center in step 370 , which indicates whether the CDMA2000 global challenge and response were valid.
  • M-ID CDMA2000 subscription identity
  • step 350 determines that a CDMA2000 authentication center allows sharing of SSD with the WLAN network
  • step 380 the WLAN network will verify the WLAN device's response to the CDMA2000 global challenge without interacting with the CDMA2000 authentication center.
  • SSD sharing enables verification of the CDMA2000 global challenge and response with less network traffic than a non-shared SSD situation.
  • Steps 350 , 360 , 370 , and 380 form details of step 216 shown in FIG. 2 .
  • FIG. 4 is a flowchart 400 showing details of performing and verifying a CDMA2000 unique challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 .
  • the flowchart 400 provides details for step 223 and step 226 shown in FIG. 2 .
  • the CDMA2000 authentication center may initiate a CDMA2000 unique challenge even though SSD is shared with the serving network.
  • the WLAN serving network will perform a unique challenge to comply with CDMA2000 network authentication requirements.
  • Step 410 determines whether SSD sharing is allowed with the WLAN network. If SSD sharing is not allowed with the WLAN network, the WLAN network receives a CDMA2000 unique challenge together with its response from the CDMA2000 authentication center in step 420 .
  • the CDMA2000 authentication center automatically sends the CDMA2000 unique challenge and response after it has validated the CDMA2000 global challenge and response.
  • the CDMA2000 unique challenge and response from the CDMA2000 authentication center is preferably formatted according to the ANSI-41 protocol.
  • the WLAN server then sends the CDMA2000 unique challenge to the WLAN device in step 430 .
  • the WLAN network reformats the CDMA2000 unique challenge according to the EAP/CDMA2000 protocol before communicating the CDMA2000 unique challenge to the WLAN device.
  • the WLAN network receives a response to the CDMA2000 unique challenge from the WLAN device. Steps 410 , 420 , 430 , and 440 are included in step 223 shown in FIG. 2 .
  • step 450 the WLAN server verifies the WLAN device's response to the CDMA2000 unique challenge by comparing it with the one received from CDMA2000 authentication center in step 420 .
  • Step 450 is included in step 226 shown in FIG. 2 .
  • the WLAN network If SSD sharing is allowed with the WLAN network as determined by step 410 , the WLAN network generates a CDMA2000 unique challenge in step 425 . Preferably, the WLAN network automatically generates the CDMA2000 unique challenge after it has validated the CDMA2000 global challenge and response. In a situation where a CDMA2000 home network initiates a CDMA2000 unique challenge, the WLAN network receives the CDMA2000 unique challenge from the CDMA2000 authentication center instead of generating a CDMA2000 unique challenge in step 425 . Note that the unique challenge from the CDMA2000 authentication center is preferably formatted according to the ANSI-41 protocol.
  • the WLAN server then sends the CDMA2000 unique challenge to the WLAN device in step 435 .
  • the WLAN network formats the CDMA2000 unique challenge according to the EAP/CDMA2000 protocol before communicating the CDMA2000 unique challenge to the WLAN device.
  • the WLAN network receives a response to the CDMA2000 unique challenge from the WLAN device. Steps 425 , 435 , and 445 are also included in step 223 shown in FIG. 2 .
  • the WLAN server verifies the WLAN device's response to the CDMA2000 unique challenge in step 455 .
  • the response is reformatted to comply with the ANSI-41 protocol. Because SSD is shared, in step 455 the WLAN server computes a response and then compares it with the response received from the WLAN device.
  • FIG. 5 is a flowchart 500 showing details of deriving and using a WLAN to master key according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2 .
  • the flowchart 500 provides details to use a CDMA2000 encryption key to derive a master key in step 234 , to authenticate the WLAN device in steps 237 , 238 , and 239 , and to derive session keys in step 240 .
  • the flowchart also includes an authentication of the WLAN network to a WLAN device.
  • a challenge RANDreq is received in step 201 implicitly.
  • the WLAN server uses the master key to compute a response to RANDreq implicitly included in step 237 .
  • Step 510 determines whether SSD sharing is allowed. If SSD sharing is not allowed, then in step 520 , the WLAN server obtains a CDMA encryption key from the CDMA2000 authentication center. If SSD sharing is allowed, then the WLAN server generates a CDMA2000 encryption key in step 530 .
  • the WLAN server Upon either obtaining, in step 520 , or generating, in step 530 , a CDMA2000 encryption key, the WLAN server will derive a WLAN master key in step 540 .
  • the WLAN network derives a master key from the CDMA2000 encryption key using a pseudorandom function.
  • the input to the pseudorandom function should include the CDMA2000 encryption key (SMEKEY), a CDMA2000 subscription identity (M-ID), and a WLAN subscription identity (W-ID) if it is different from the CDMA2000 subscription identity. It may also include a version number (Version-ID), a counter (Counter), as well as other information.
  • SMEKEY CDMA2000 encryption key
  • M-ID CDMA2000 subscription identity
  • W-ID WLAN subscription identity
  • It may also include a version number (Version-ID), a counter (Counter), as well as other information.
  • a pseudorandom function with a 128 bit output value and use it as the master key.
  • MK (Master Key) PRF — MK ( SMEKEY
  • PRF_MK (x) used to derive the key can be any standard specified pseudorandom function.
  • the WLAN authentication server computes a response to authenticate itself to the WLAN device by responding to the random challenge RANDreq.
  • the hash function H(x) used to compute the response can be any standard specified one-way hash function.
  • MK is the master key
  • Nounce — 4 is a public variable such as system time, counter number, or publicly shared random number.
  • the WLAN server In step 560 , the WLAN server generates a random challenge RANDch and sends it to the WLAN device.
  • the WLAN device then use the random challenge (RANDch) together with its master key (MK) and potentially public variables (Nounce_X) such as system times, counter numbers, or publicly shared random numbers, to compute an authentication response (Auth-Res).
  • the WLAN server will verify the response by computing Auth-Res with the master key and comparing it with the received one.
  • the hash function H(x) used to compute the response can be any standard specified one-way hash function.
  • the WLAN server derives an encryption key (Cipher-key), an integrity protection key (MAC-key), and other keys using pseudorandom functions from the master key.
  • Cipher-key PRF — c ( MK
  • MAC -Key PRF — mac ( MK
  • the pseudorandom functions PRF(x) used to derive the keys can be any standard specified pseudorandom functions. For example, they can be essentially the same function with different parameters.
  • FIG. 6 is a flowchart 600 showing details of WLAN network authentication of a WLAN device using a derived WLAN master key. This flowchart 600 is a subset of the authentication process shown in FIG. 2 . Notice that the WLAN network authentication process does not require any interaction with a CDMA2000 authentication center, because there exists a valid master key for the WLAN device.
  • step 601 we assume that the WLAN server has initiated the WLAN network authentication process which means that there exists a valid master key for the WLAN device.
  • the WLAN server retrieves the random challenge RANDreq received in an earlier stage and computes a response.
  • step 620 it generates a random challenge RANDch and sends it to the WLAN device preferably together with the response to RANDreq computed in step 610 .
  • step 630 the WLAN device receives a response from the WLAN device to the random challenge RANDch. Steps 620 and 630 are included in step 237 of FIG. 2 .
  • step 238 shown here and also in FIG. 2 ), the WLAN server verifies the WLAN device's response to the random challenge RANDch using the master key.
  • step 239 If it is a valid response as determined in step 239 , then the WLAN server derives the session keys in step 240 . Otherwise, step 250 sends an “authentication failed” message to the WLAN device and the protocol ends in step 699 .
  • This flowchart 600 highlights a situation where the WLAN network does not need to communicate with CDMA2000 authentication center—regardless of whether SSD sharing is allowed or not allowed.
  • the WLAN network authentication procedure shown in FIG. 6 is more frequently conducted than a full authentication with the CDMA2000 network shown in FIG. 2 Therefore, the network traffic will be significantly reduced by using such a master key.
  • FIG. 7 is a flowchart 700 showing a WLAN device authentication process in a WLAN device according to a preferred embodiment.
  • This authentication process uses CDMA2000 credentials to authenticate to a WLAN network such as the one shown in FIG. 1 .
  • This authentication process preferably is implemented as a computer program in a WLAN device with a UIM such as the WLAN wireless communication device 130 with CDMA2000 credentials 110 shown in FIG. 1 .
  • Step 701 starts the WLAN device authentication process at the WLAN device.
  • the start step 701 is initiated by a WLAN device when requesting access to a WLAN network as described previously with reference to FIG. 1 . Additionally, the start step 701 can be initiated by the WLAN network requesting re-authentication of the WLAN device as described previously with reference to FIG. 1 .
  • a WLAN network will re-authenticate WLAN devices and/or update the master key periodically as determined by the network operator.
  • all communications to and from the WLAN device are in accordance with the EAP/CDMA2000 protocol.
  • the WLAN device Upon initiating the authentication process, the WLAN device generates a random challenge RANDreq in step 703 . Then it sends the challenge to the WLAN network in step 706 . If the WLAN server has a valid master key, the flow will skip to step 785 , which starts a WLAN network authentication. If the WLAN server does not have a valid master key for this WLAN device, then a full authentication occurs starting with step 710 . See decision step 210 in FIG. 2 and accompanying text. The WLAN device receives a CDMA2000 global challenge from the WLAN network in step 710 . Using its CDMA2000 credentials 110 shown in FIG. 1 , the WLAN device formulates a response to the global challenge in step 720 . The WLAN device then sends the response to the WLAN network in step 730 .
  • the WLAN device receives a CDMA2000 unique challenge in step 740 .
  • the WLAN device formulates a response to the CDMA2000 unique challenge in step 750 .
  • it sends the response to the CDMA2000 unique challenge to the WLAN network.
  • the WLAN device will receive a “success” message in step 765 and the WLAN device generates a CDMA2000 encryption key in step 770 .
  • the WLAN network encryption key is a signal encryption key (SMEKEY) that is conventionally generated from CDMA2000 credentials for signal encryption in a CDMA2000 network. In this situation, however, the SMEKEY is re-deployed for use as WLAN key material to generate a master key. From the encryption key, the WLAN device derives a master key in step 780 as previously described with reference to FIG. 2 .
  • the WLAN device Upon generating a master key, the WLAN device will receive a WLAN authentication challenge RANDch in step 785 , and this message may also include a response to the random challenge RANDreq sent in step 706 .
  • the WLAN device uses the master key to verify the response to RANDreq from the network in step 789 . If it is valid, then it uses the master key to calculate a response corresponding to the WLAN challenge RANDch in step 790 .
  • the response is sent to the WLAN network in step 795 .
  • the WLAN device derives session keys in step 797 similar to the process previously described with reference to step 240 of FIG. 2 .
  • the WLAN device authentication process ends in step 799 , and the session keys can be used to protect communications between the WLAN access point and the WLAN device.
  • FIG. 8 is a functional block diagram of a WLAN device 800 according to a preferred embodiment.
  • the WLAN device 800 generates a CDMA2000 encryption key, authenticates WLAN networks, and encrypts WLAN data.
  • the WLAN device 800 has an antenna 899 and transceiver 890 for wireless communication.
  • a CDMA2000 user identification module (UIM) 801 the CDMA2000 UIM generates and outputs a CDMA2000 encryption key, such as a SMEKEY.
  • the UIM can be either a permanently installed UIM or a removable UIM (R-UIM).
  • the WLAN device then generates a WLAN master key in a master key generation module 810 , which is coupled to the UIM and receives the CDMA2000 encryption key and uses it as a basis for master key generation.
  • a random number generator 805 coupled to the transceiver 890 , WLAN authentication module 850 , and session key derivation module 860 , generates random challenge RANDreq.
  • a WLAN authentication module 850 coupled to the master key generation module 810 and the transceiver 890 , receives a challenge RANDch from the WLAN network and a network response to a previously generated challenge RANDreq, and it verifies the response to the previously generated challenge RANDreq from the WLAN network using its master key. If the response is valid, the WLAN authentication module 850 calculates a response to the WLAN challenge RANDch using the master key. The WLAN authentication module 850 then sends the response to the random challenge RANDch to the transceiver 890 .
  • the session key derivation module 860 which is coupled to the WLAN authentication module 850 and the master key generation module 810 , derives session keys from the master key.
  • Communication protection module 870 which is coupled to the session key derivation module 860 and the transceiver 890 , uses the session keys in data protection algorithms for communication protection.
  • the modules are implemented as software running in a processor of the WLAN device and are directly or indirectly connected to the transceiver.
  • FIG. 9 is a flowchart 900 showing a process for converting CDMA2000 authentication protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000.
  • EAP Extensible Authentication Protocol
  • a WLAN server such as the WLAN AAA server 150 shown in FIG. 1 performs this conversion process.
  • the protocol is executed between a WLAN network and a WLAN device with CDMA credentials.
  • the main messages of EAP are “request”, “response”, and “success” or “failure”.
  • a success or failure message indicates a successful or failed authentication.
  • EAP/CDMA2000 enables a full authentication with both CDMA2000 global and unique challenges. It may also enable authentication using a valid WLAN master key with neither a global challenge nor a unique challenge but only the WLAN challenge and response.
  • EAP/CDMA2000 conversion starts in step 901 .
  • the WLAN server sends an EAP-request/identity in step 905 . It then receives an EAP-response/identity and verifies it in step 910 .
  • Steps 905 and 910 are variants of known messages used in many EAP extensions.
  • the WLAN server sends an EAP-request/CDMA2000/start message.
  • the WLAN device recognizes the message as a new extension of EAP using CDMA credentials.
  • the WLAN server receives an EAP-response/CDMA2000/start message from the WLAN device in step 920 .
  • the EAP-response/CDMA2000/start message may include embedded data RANDreq.
  • RANDreq is a challenge from the WLAN device which the WLAN server saves for future use as described previously with reference to FIG. 6 , step 610 .
  • the WLAN server In step 925 , the WLAN server generates a global challenge as specified in CDMA2000 and embeds the global challenge in an EAP-request/CDMA2000/Global message, before sending it. Then the WLAN server receives an EAP-response/CDMA2000/Global message in step 930 . The WLAN server then fetches the response to the Global challenge from the message and verifies it. When SSD is not shared, verification will most likely require communication with a CDMA2000 authentication center. When SSD is shared, the WLAN server can verify without interacting with the CDMA2000 authentication center. This is shown and described with reference to FIG. 3 . In step 935 , if the response to the global challenge is not valid, step 980 sends an EAP failure message.
  • the WLAN server If the response to the global challenge is valid according to step 935 , the WLAN server generates a CDMA2000 unique challenge by itself or receives a CDMA2000 unique challenge from a CDMA2000 authentication center in step 940 . In either case, the CDMA2000 unique challenge is inserted to an EAP-request/CDMA2000/Unique message and sent. The WLAN server receives an EAP-response/CDMA2000/Unique message in step 945 . The WLAN server fetches the response from the message and verifies it in accordance with FIG. 4 and the accompanying text. Preferably, the CDMA2000 authentication center is involved when SSD is not shared and the CDMA2000 authentication center is not involved when SSD is shared. If step 950 determines it is not a valid response, then the WLAN server sends an EAP failure message in step 980 .
  • step 950 determines the response is valid
  • step 955 the WLAN server generates a random challenge RANDch, embeds it in an EAP-request/CDMA2000/Challenge message, and sends it.
  • the message includes a response from the WLAN server to the challenge RANDreq received and saved in step 920 .
  • step 965 the WLAN server receives an EAP-response/CDMA2000/Challenge message.
  • the WLAN server fetches the response from the message and verifies it. If step 970 determines the response is valid, then the WLAN server sends an EAP success message and derives session keys in step 975 . Otherwise, the WLAN server sends an EAP failure message in step 980 .
  • the method ends in step 999 .
  • FIG. 10 is a flowchart showing a process 1000 for a shared secret data (SSD) update with a WLAN server converting an SSD update protocol to a new extension of Extensible Authentication Protocol (EAP) called EAP/CDMA2000.
  • An SSD update is usually initiated by a CDMA2000 authentication center.
  • a WLAN server executes an SSD update with a WLAN device to comply with a security policy of the CDMA2000 network and to maintain the interface with the CDMA2000 authentication center.
  • the protocol is generally triggered by a message from a CDMA2000 authentication center indicating an SSD update in step 1003 .
  • the WLAN server receives a random number RANDSSD for an SSD update.
  • the WLAN server then sends an EAP-request/identity message in step 1005 . It receives an EAP-response/identity message and verifies it in step 1010 . Steps 1005 and 1010 are messages common to all EAP extensions.
  • the WLAN server sends an EAP-request/CDMA2000/start message.
  • the device recognizes the execution is an extension of EAP using CDMA credentials.
  • the WLAN server receives an EAP-response/CDMA2000/start message in step 1020 .
  • the EAP-response/CDMA2000/start message may include data RANDreq.
  • RANDreq is a challenge from the WLAN device.
  • the WLAN server saves the RANDreq.
  • the SSD update is indicated by sending an EAP-request/CDMA2000/SSD message in step 1025 .
  • the random number RANDSSD received in step 1003 from the CDMA2000 authentication center is included in the EAP-request/CDMA2000/SSD message.
  • the RANDSSD will be used to compute a new SSD at the device.
  • the EAP-response/CDMA/SSD message received in step 1030 includes a random challenge RANDBS. This is a challenge from the device to the CDMA2000 network.
  • the WLAN server sends the random challenge RANDBS to the CDMA2000 authentication center in step 1035 and requests a response. It receives a response AUTHBS in step 1040 from the CDMA2000 authentication center. If the new SSD is shared, then steps 1035 and 1040 will be skipped. Instead, the WLAN server computes the response AUTHBS.
  • the response AUTHBS is included in an EAP-request/CDMA2000/SSDBS message and sent in step 1045 .
  • the received EAP-Response/CDMA2000/SSDBS message indicates a validation or invalidation of the response AUTHBS in step 1050 .
  • the WLAN server may generate a CDMA2000 unique challenge itself or receive a CDMA2000 unique challenge from CDMA2000 authentication center in step 1050 . In either case, the CDMA2000 unique challenge is inserted to an EAP-request/CDMA2000/Unique message and the message is sent in step 1055 .
  • the WLAN server receives an EAP-response/CDMA2000/Unique message.
  • the WLAN server fetches the response from the message and verifies in accordance with FIG. 4 and the accompanying text. Preferably verification occurs with the CDMA2000 authentication center when the new SSD is not shared and verification is autonomous when the new SSD is shared. If step 1065 determines the response is not valid, the WLAN server sends an EAP failure message in step 1090 and the process ends in step 1099 .
  • the WLAN server If the response is valid, in step 1070 , the WLAN server generates a random challenge RANDch, embeds it in an EAP-request/CDMA2000/Challenge message and sends it.
  • the message includes a response from the WLAN server to the challenge RANDreq received and saved in step 1020 .
  • the WLAN server receives an EAP-response/CDMA2000/Challenge message.
  • the WLAN server fetches the response from the message and verifies it. If step 1080 determines the response to the random challenge is valid, then the WLAN server sends an EAP success message and derives session keys in step 1085 before successfully completing an SSD update in step 1099 . Otherwise, the WLAN server sends an EAP failure message in step 1090 before the process ends in step 1099 .
  • the WLAN authentication process employs CDMA2000 device authentication only to the stage that a CDMA2000 encryption key is generated and a master key is formed in the device. This approach relieves the network from frequent interactions between the WLAN network and the CDMA2000 network.
  • An advantage to this approach is that because a WLAN authentication server preferably converts the EAP/CDMA2000 protocol to an ANSI-41 protocol when communicating with the CDMA2000 authentication center, and conversely converts the ANSI-41 protocol to EAP/CDMA2000 protocol when communicating with the WLAN device, the WLAN device authentication process integrates easily into existing WLAN networks and CDMA2000 networks.
  • the system, method, and devices for authentication in a WLAN provide a system, method, and devices for using CDMA2000 credentials to authenticate WLAN devices. This process minimizes disruption of existing authentication processes for CDMA2000 and for WLAN and does not greatly increase network traffic. This process does not require any changes to the CDMA2000 credentials or the CDMA2000 authentication center.
  • the terms “a” or “an,” as used herein, are defined as one or more than one.
  • the term “plurality,” as used herein, is defined as two or more than two.
  • the term “another,” as used here, is defined as at least a second or more.
  • the terms “including,” “comprising,” and/or “having,” as used herein, are defined as a non-exclusive inclusion (i.e., open language).
  • the term “coupled,” as used herein, is defined as connected, although not necessarily directly and not necessarily mechanically.
  • program is defined as a sequence of instructions designed for execution on a computer system.
  • a “program”, or “computer program”, may include a subroutine, a function, a procedure, an object method, an object implementation, in an executable application, an applet, a servlet, a source code, an object code, a shared library/dynamic load library and/or other sequence of instructions designed for execution on a computer system.

Abstract

A system (100) for authentication in a wireless local area network (WLAN) includes a CDMA2000 authentication center (190) for authenticating CDMA2000 credentials (110), a WLAN authentication server (150) for using the CDMA2000 credentials to authenticate WLAN devices holding CDMA2000 credentials, and at least one WLAN device (130) holding CDMA2000 credentials. The WLAN server (150) performs a CDMA2000 global challenge and response (213) and a CDMA2000 unique challenge and response (223) with a WLAN device to obtain a CDMA2000 encryption key (233). The WLAN server (150) derives a master key from the CDMA2000 encryption key (234) and uses the master key to perform a WLAN challenge and response (237) with the WLAN device (130) and then derives session keys from the master key (240). The session keys protect communications between the WLAN access point (140) and the WLAN device (130).

Description

    FIELD OF THE DISCLOSURE
  • This disclosure relates generally to wireless local area network (WLAN) authentication, and more specifically to reusing CDMA2000 credentials to authenticate WLAN devices.
    • BACKGROUND OF THE DISCLOSURE
  • Global System for Mobile Communications (GSM) manufacturers and operators have put tremendous efforts into finding solutions for using GSM credentials to authenticate WLAN devices. One solution proposed in standards bodies, like the Internet Engineering Task Force (IETF) and the Third Generation Partnership Project (3GPP), uses an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using the GSM Subscriber Identity Module (SIM).
  • Due to differences in the subscriber unit authentication processes for GSM and CDMA2000 networks, the EAP/SIM mechanism cannot be applied to using CDMA2000 credentials to authenticate WLAN devices. The main difficulty is that, in CDMA2000 networks, the home location register authentication center (HLR/AC) is more involved in the steps of the authentication process. CDMA2000 HLR/AC participation is even more pronounced when a second level of key, called shared secret data (SSD), is not shared with a CDMA2000 serving network in accordance with a CDMA2000 network operator's policy. No authentication vectors (triplets), such as those available in GSM, can be provided to a CDMA2000 serving network to derive WLAN security parameters. Additionally, the CDMA2000 and WLAN authentication processes use different functions to generate keys, different packet and frame structures, and different encryption methodologies.
  • There is a desire to provide a method for using CDMA2000 credentials to authenticate WLAN devices. There is also a desire to minimize disruption of existing authentication processes for CDMA2000 networks and for WLAN networks while reusing the CDMA2000 credentials. There is a desire to avoid greatly increasing network traffic when using CDMA2000 credentials to authenticate WLAN devices.
  • The various aspects, features and advantages of the disclosure will become more fully apparent to those having ordinary skill in the art upon careful consideration of the following Drawings and accompanying Detailed Description.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a functional block diagram of a system that uses CDMA2000 credentials for authentication of a CDMA2000 wireless communication device and also for authentication of a WLAN wireless communication device.
  • FIG. 2 is a flowchart showing a WLAN device authentication process in a WLAN network according to a preferred embodiment.
  • FIG. 3 is a flowchart showing details of performing and verifying a CDMA2000 global challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2.
  • FIG. 4 is a flowchart showing details of performing and verifying a CDMA2000 unique challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2.
  • FIG. 5 is a flowchart showing details of deriving and using a WLAN master key according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2.
  • FIG. 6 is a flowchart showing details of WLAN network authentication of a WLAN device using a derived WLAN master key.
  • FIG. 7 is a flowchart showing a WLAN device authentication process in a WLAN device according to a preferred embodiment.
  • FIG. 8 is a functional block diagram of a WLAN device 800 according to a preferred embodiment.
  • FIG. 9 is a flowchart showing a process for converting CDMA2000 authentication protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000.
  • FIG. 10 is a flowchart showing a process for a shared secret data (SSD) update, with a WLAN server converting an SSD update protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000.
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • A system for authentication in a wireless local area network (WLAN) includes a CDMA2000 authentication center for authenticating CDMA2000 credentials, a WLAN authentication server coupled to the cellular authentication center for using the CDMA2000 credentials to authenticate WLAN devices holding CDMA2000 credentials, and at least one WLAN device holding CDMA2000 credentials coupled to the WLAN authentication server. The WLAN server performs a CDMA2000 global challenge and response as well as a CDMA2000 unique challenge and response with a WLAN device holding CDMA2000 credentials in order to obtain a CDMA2000 encryption key. The WLAN server derives a master key from the CDMA2000 encryption key and uses the master key to perform a WLAN challenge and response with the WLAN device. If the WLAN challenge and response is successful, the WLAN server derives session keys from the master key and delivers the session keys to a WLAN access point to protect communications between the WLAN access point and the WLAN device.
  • The WLAN server uses an extension of Extensible Authentication Protocol (EAP) to facilitate communications between the CDMA2000 authentication center and a WLAN device. The WLAN device has a wireless transceiver and includes a CDMA2000 user identifier module (UIM) for storing CDMA2000 credentials and generating a CDMA2000 encryption key, a random number generator coupled to a transceiver, WLAN authentication module, and session key derivation module for generating a random challenge, a master key generation module coupled to the UIM for deriving a WLAN master key from the CDMA2000 encryption key, a WLAN authentication module coupled to the master key generation module and the wireless transceiver for responding to a challenge from a WLAN server, a session key derivation module coupled to the WLAN authentication module and the master key generation module to derive session keys from the master key, and a communication protection module coupled to the session key derivation module and the wireless transceiver to apply protection to WLAN data using the session keys.
  • FIG. 1 is a functional block diagram of a system 100 that uses CDMA2000 credentials 110 for authentication of a CDMA2000 wireless communication device 120 and also for authentication of a WLAN wireless communication device 130. Each CDMA2000 subscriber unit 120, such as a cellular telephone or personal digital assistant with wireless CDMA2000 transceiver, makes use of a User Identity Module (UIM) that contains CDMA2000 credentials 110. (When it is removable, then it is called a Removable UIM (R-UIM), but we will not distinguish here between UIM and R-UIM and instead focus on its function.) These CDMA2000 credentials 110 are used by the CDMA2000 wireless communication device 120 when communicating through a wireless connection 125 to a CDMA2000 base station 160. Preferably, the wireless connection 125 uses the CDMA2000 air interface protocol, which is backwards compatible with ANSI-95. If the base station 160 communicates through connection 165 with a CDMA2000 visitor location register (VLR) 170 using a protocol such as CDMA2000 A, the VLR will query a CDMA2000 home location register authentication center (HLR/AC) 190 over communication connection 175 during the process of authenticating the wireless communication device 120. The communication connection 175 preferably uses ANSI-41 protocols.
  • A WLAN subscriber unit 130, such as a laptop or personal digital assistant with WLAN transceiver, uses the same CDMA2000 credentials 110 used to authenticate the CDMA2000 subscriber device 120. These CDMA2000 credentials 110 are used by the WLAN wireless communication device 130 when communicating through wireless connection 135 to a WLAN access point 140. Preferably, the wireless connection 135 uses an IEEE Wireless protocol, such as IEEE 802.11. The WLAN access point 140 is connected to a WLAN Authentication (AAA) server 150 through communication connection 145, which preferably uses a Wired Network protocol. The WLAN AAA server 150 uses a communication connection 155 to verify the CDMA2000 credentials of the WLAN wireless communication device 130 with the CDMA2000 HLR/AC 190. The communication connection 155 preferably uses ANSI-41 protocols.
  • A benefit of using the same CDMA2000 credentials 110 to authenticate both CDMA2000 access and WLAN access is that a network operator can more easily integrate WLAN services into existing CDMA2000 infrastructure. A user of CDMA2000 and WLAN services can receive a uniform bill for both the CDMA2000 and the WLAN services.
  • FIG. 2 is a flowchart 200 showing a WLAN device authentication process in a WLAN network according to a preferred embodiment. This authentication process uses CDMA2000 credentials, such as CDMA2000 credentials 110 shown in FIG. 1, to verify a WLAN device, such as the WLAN subscriber unit 130 shown in FIG. 1. Additionally, the WLAN device verifies the WLAN network. The authentication process preferably is implemented as a network protocol with a WLAN server such as the WLAN AAA server 150 shown in FIG. 1.
  • Step 201 starts the WLAN device authentication process at the WLAN network. The start step 201 can be initiated by receiving an access request from a WLAN device. Preferably, the access request includes an identifier of the WLAN device, a WLAN subscription identifier (W-ID), and a 128 bit random number RANDreq. The RANDreq is a random challenge to the WLAN network that will be used to verify the WLAN network after a valid master key is confirmed for the WLAN device. Other information, such as a CDMA2000 subscription identity (M-ID) may also be included in the access request from a WLAN device. Additionally, the start step 201 can be initiated by the WLAN network re-authenticating a WLAN device already on the WLAN network. Generally, a WLAN network will re-authenticate WLAN devices periodically as determined by the network operator. Re-authentication triggers can depend on the passage of time, a request or requirement to update the master or session key(s), CDMA2000 authentication center-triggered SSD update, as well as dynamic network conditions such as network traffic and available bandwidth.
  • Step 210 checks whether a valid master key already exists for authenticating the WLAN device. A valid master key implies that there is a master key stored in the WLAN server for the device and the server considers the key as being properly up-to-date. If a valid master key exists, the WLAN device is authenticated through steps 237, 238, 239, and 240, and the process ends in step 299. Details regarding the authentication steps are below. If a valid master key already exists, there is no need for the WLAN network to communicate with a CDMA2000 authentication center, which results in no negative impact on network traffic. A valid master key may already exist because, for example, the WLAN device has recently been authenticated. For instance, if a recently authenticated WLAN device detached from the WLAN network and soon reattached to the WLAN network, the authentication process would start in step 201 but the master key would still be valid for that WLAN device. Another situation where there may be a pre-existing valid master key is when the device has no CDMA2000 subscription but only a WLAN subscription. In this case, the master key is the only key for WLAN authentication. It can be installed at the time of subscription activation.
  • If no valid master key exists, the WLAN network will perform a CDMA2000 global challenge and response with the WLAN device in step 213. A valid master key may not exist because, for example, the WLAN device has not previously been authenticated with the WLAN network, or because the master key has been invalidated or expired.
  • Step 216 verifies the CDMA2000 global challenge and response between the WLAN device and the WLAN network. Details regarding step 216, which depend on whether SSD is shared or not shared with the WLAN serving network, are shown in FIG. 3. If the CDMA2000 global challenge and response are not validated in step 220, the WLAN network sends an “authentication failed” message to the WLAN device in step 250 and the authentication process ends in step 299. If the CDMA2000 global challenge and response are valid in step 220, the WLAN network will perform a CDMA2000 unique challenge and response with the WLAN device in step 223.
  • Step 226 verifies the CDMA2000 unique challenge and response between the WLAN device and the WLAN network. If the response to the CDMA2000 unique challenge is not valid in step 230, the WLAN network sends an “authentication failed” message to the WLAN device in step 250 and the authentication process ends in step 299. If step 230 determines that the CDMA2000 unique challenge and response are valid, the WLAN network obtains a CDMA2000 encryption key in step 233.
  • Depending on the configuration of the CDMA2000 authentication center, the WLAN network may receive the CDMA2000 encryption key from the CDMA2000 authentication center or the WLAN network may generate the CDMA2000 encryption key. Preferably, the CDMA2000 encryption key is a signal encryption key (SMEKEY) that is conventionally generated by a CDMA2000 network for signal encryption. In this embodiment, however, the SMEKEY is re-deployed for use as WLAN key material for generating a master key.
  • If SSD sharing is allowed with the WLAN network, the WLAN network generates a CDMA2000 encryption key from a shared 64-bit SSD-B key for the WLAN device. Otherwise, if SSD sharing is not allowed with the WLAN network, the WLAN network receives a CDMA2000 encryption key from the CDMA2000 authentication center. Preferably, the CDMA2000 authentication center automatically generates and sends the encryption key upon successful validation of the WLAN device's response to the CDMA2000 unique challenge in step 226 and step 230.
  • In step 234, the WLAN network derives a master key from the CDMA2000 encryption key for use when communicating with the WLAN device. In FIG. 5, step 540 and the accompanying text describe details of deriving the master key.
  • Meanwhile, the UIM in the WLAN device also generates a CDMA2000 encryption key. The WLAN device derives a master key from the encryption key using the same methodology as described for the WLAN network master key. See FIG. 7 and accompanying text. Now both the WLAN device and the WLAN network hold a master key derived from the same CDMA encryption key (SMEKEY).
  • With a master key, the WLAN network can compute a response to the random challenge RANDreq received in step 201. FIG. 5 and the accompanying text describe details of computing a response to the random challenge RANDreq. In step 237, the WLAN network and the WLAN device perform a WLAN challenge and response authentication. FIG. 6 provides more detail regarding the WLAN challenge and response authentication in step 237. The WLAN network verifies the response from the WLAN device by using the master key in step 238. An invalid response as determined in step 239 will lead to sending an “authentication failed” message to the WLAN device in step 250 and the end of the protocol in step 299. A valid response as determined in step 239 implies a successful authentication and will lead to step 240.
  • In step 240, the WLAN network uses its master key to derive session keys. In FIG. 5, step 570 and the related text describe details of deriving session keys. Once the session keys are generated, the WLAN device authentication process is successful and ends in step 299. Once the session keys are generated, they are used to protect communications between the WLAN access point and the WLAN device. Thus, the process shown in FIG. 2 enables the generation of a valid master key which in turn is used to perform WLAN authentication without the need for the WLAN server to communicate with the CDMA2000 authentication center. See also FIG. 6 and accompanying text, which details the WLAN authentication process.
  • The WLAN device can be authenticated by a WLAN master key without communicating with a CDMA2000 HLR/AC such that adding WLAN service would not increase network traffic significantly. If a CDMA2000 authentication center allows sharing of shared secret data (SSD) with the WLAN network, network traffic can be reduced further. Otherwise, the WLAN network will need to communicate with the CDMA2000 authentication center when generating or updating a WLAN master key.
  • FIG. 3 is a flowchart 300 showing details of performing and verifying a CDMA2000 global challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2. Essentially, the flowchart 300 provides details for step 213 and step 216 shown in FIG. 2.
  • Step 310 generates a CDMA2000 global challenge. Next, step 320 sends the CDMA2000 global challenge to the WLAN device. Preferably, the WLAN network formats the CDMA2000 global challenge according to an EAP/CDMA2000 protocol, which is a CDMA2000 extension of the EAP protocol. See FIG. 9 and accompanying text for more detail regarding the EAP/CDMA2000 protocol. In step 330, the WLAN network receives from the WLAN device a response to the CDMA2000 global challenge. Steps 310, 320, and 330 form details of step 213 shown in FIG. 2.
  • Next, step 350 determines whether SSD sharing is allowed with the WLAN network. If SSD is not shared, the WLAN network sends the CDMA2000 global challenge and the WLAN device's response to the appropriate CDMA2000 authentication center along with the WLAN device's CDMA2000 subscription identity (M-ID) in step 360. Preferably, communications between the WLAN network and the CDMA2000 authentication center are formatted according to the ANSI-41 protocol. The WLAN network then receives a response from the CDMA authentication center in step 370, which indicates whether the CDMA2000 global challenge and response were valid.
  • If step 350 determines that a CDMA2000 authentication center allows sharing of SSD with the WLAN network, then in step 380, the WLAN network will verify the WLAN device's response to the CDMA2000 global challenge without interacting with the CDMA2000 authentication center. SSD sharing enables verification of the CDMA2000 global challenge and response with less network traffic than a non-shared SSD situation. Steps 350, 360, 370, and 380 form details of step 216 shown in FIG. 2.
  • FIG. 4 is a flowchart 400 showing details of performing and verifying a CDMA2000 unique challenge and response according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2. Essentially, the flowchart 400 provides details for step 223 and step 226 shown in FIG. 2. Note that the CDMA2000 authentication center may initiate a CDMA2000 unique challenge even though SSD is shared with the serving network. In this case, the WLAN serving network will perform a unique challenge to comply with CDMA2000 network authentication requirements.
  • Step 410 determines whether SSD sharing is allowed with the WLAN network. If SSD sharing is not allowed with the WLAN network, the WLAN network receives a CDMA2000 unique challenge together with its response from the CDMA2000 authentication center in step 420. Preferably, the CDMA2000 authentication center automatically sends the CDMA2000 unique challenge and response after it has validated the CDMA2000 global challenge and response. The CDMA2000 unique challenge and response from the CDMA2000 authentication center is preferably formatted according to the ANSI-41 protocol.
  • The WLAN server then sends the CDMA2000 unique challenge to the WLAN device in step 430. Preferably, the WLAN network reformats the CDMA2000 unique challenge according to the EAP/CDMA2000 protocol before communicating the CDMA2000 unique challenge to the WLAN device. Then, in step 440, the WLAN network receives a response to the CDMA2000 unique challenge from the WLAN device. Steps 410, 420, 430, and 440 are included in step 223 shown in FIG. 2.
  • Next, in step 450 the WLAN server verifies the WLAN device's response to the CDMA2000 unique challenge by comparing it with the one received from CDMA2000 authentication center in step 420. Step 450 is included in step 226 shown in FIG. 2.
  • If SSD sharing is allowed with the WLAN network as determined by step 410, the WLAN network generates a CDMA2000 unique challenge in step 425. Preferably, the WLAN network automatically generates the CDMA2000 unique challenge after it has validated the CDMA2000 global challenge and response. In a situation where a CDMA2000 home network initiates a CDMA2000 unique challenge, the WLAN network receives the CDMA2000 unique challenge from the CDMA2000 authentication center instead of generating a CDMA2000 unique challenge in step 425. Note that the unique challenge from the CDMA2000 authentication center is preferably formatted according to the ANSI-41 protocol.
  • The WLAN server then sends the CDMA2000 unique challenge to the WLAN device in step 435. Preferably, the WLAN network formats the CDMA2000 unique challenge according to the EAP/CDMA2000 protocol before communicating the CDMA2000 unique challenge to the WLAN device. Then, in step 445, the WLAN network receives a response to the CDMA2000 unique challenge from the WLAN device. Steps 425, 435, and 445 are also included in step 223 shown in FIG. 2.
  • Next, the WLAN server verifies the WLAN device's response to the CDMA2000 unique challenge in step 455. Preferably, the response is reformatted to comply with the ANSI-41 protocol. Because SSD is shared, in step 455 the WLAN server computes a response and then compares it with the response received from the WLAN device.
  • FIG. 5 is a flowchart 500 showing details of deriving and using a WLAN to master key according to the preferred embodiment of the WLAN device authentication process shown in FIG. 2. Essentially, the flowchart 500 provides details to use a CDMA2000 encryption key to derive a master key in step 234, to authenticate the WLAN device in steps 237, 238, and 239, and to derive session keys in step 240. The flowchart also includes an authentication of the WLAN network to a WLAN device. A challenge RANDreq is received in step 201 implicitly. The WLAN server uses the master key to compute a response to RANDreq implicitly included in step 237.
  • Step 510 determines whether SSD sharing is allowed. If SSD sharing is not allowed, then in step 520, the WLAN server obtains a CDMA encryption key from the CDMA2000 authentication center. If SSD sharing is allowed, then the WLAN server generates a CDMA2000 encryption key in step 530.
  • Upon either obtaining, in step 520, or generating, in step 530, a CDMA2000 encryption key, the WLAN server will derive a WLAN master key in step 540. Preferably, the WLAN network derives a master key from the CDMA2000 encryption key using a pseudorandom function. The input to the pseudorandom function should include the CDMA2000 encryption key (SMEKEY), a CDMA2000 subscription identity (M-ID), and a WLAN subscription identity (W-ID) if it is different from the CDMA2000 subscription identity. It may also include a version number (Version-ID), a counter (Counter), as well as other information. Here, without loss of generality, we assume a pseudorandom function with a 128 bit output value and use it as the master key. In the following equation, notation “|” implies concatenation.
    MK(Master Key)=PRF MK(SMEKEY|M-ID|W-ID|Version-ID|Counter| . . . ).
    where the pseudorandom function PRF_MK (x) used to derive the key can be any standard specified pseudorandom function.
  • In step 550 the WLAN authentication server computes a response to authenticate itself to the WLAN device by responding to the random challenge RANDreq. As an example, the response Auth-server is computed as
    Auth-server=H(MK|RANDreq|Nouce 4| . . . ).
    where the hash function H(x) used to compute the response can be any standard specified one-way hash function. The variable MK is the master key, and Nounce4 is a public variable such as system time, counter number, or publicly shared random number.
  • In step 560, the WLAN server generates a random challenge RANDch and sends it to the WLAN device. The WLAN device then use the random challenge (RANDch) together with its master key (MK) and potentially public variables (Nounce_X) such as system times, counter numbers, or publicly shared random numbers, to compute an authentication response (Auth-Res).
    Auth-Res=H(MK|RANDch|Nouce 1| . . . ).
    The WLAN server will verify the response by computing Auth-Res with the master key and comparing it with the received one. The hash function H(x) used to compute the response can be any standard specified one-way hash function.
  • In step 570, the WLAN server derives an encryption key (Cipher-key), an integrity protection key (MAC-key), and other keys using pseudorandom functions from the master key. Following are examples for computing an encryption key and an integrity key.
    Cipher-key=PRF c(MK|RANDch|RANDreq|Nouce 2| . . . ),
    MAC-Key=PRF mac(MK|RANDch|RANDreq|Nouce 3| . . . ).
  • The pseudorandom functions PRF(x) used to derive the keys can be any standard specified pseudorandom functions. For example, they can be essentially the same function with different parameters.
  • FIG. 6 is a flowchart 600 showing details of WLAN network authentication of a WLAN device using a derived WLAN master key. This flowchart 600 is a subset of the authentication process shown in FIG. 2. Notice that the WLAN network authentication process does not require any interaction with a CDMA2000 authentication center, because there exists a valid master key for the WLAN device.
  • In start step 601, we assume that the WLAN server has initiated the WLAN network authentication process which means that there exists a valid master key for the WLAN device. In step 610, the WLAN server retrieves the random challenge RANDreq received in an earlier stage and computes a response. In step 620, it generates a random challenge RANDch and sends it to the WLAN device preferably together with the response to RANDreq computed in step 610. In step 630, the WLAN device receives a response from the WLAN device to the random challenge RANDch. Steps 620 and 630 are included in step 237 of FIG. 2. In step 238 (shown here and also in FIG. 2), the WLAN server verifies the WLAN device's response to the random challenge RANDch using the master key. If it is a valid response as determined in step 239, then the WLAN server derives the session keys in step 240. Otherwise, step 250 sends an “authentication failed” message to the WLAN device and the protocol ends in step 699. This flowchart 600 highlights a situation where the WLAN network does not need to communicate with CDMA2000 authentication center—regardless of whether SSD sharing is allowed or not allowed.
  • The WLAN network authentication procedure shown in FIG. 6 is more frequently conducted than a full authentication with the CDMA2000 network shown in FIG. 2 Therefore, the network traffic will be significantly reduced by using such a master key.
  • FIG. 7 is a flowchart 700 showing a WLAN device authentication process in a WLAN device according to a preferred embodiment. This authentication process uses CDMA2000 credentials to authenticate to a WLAN network such as the one shown in FIG. 1. This authentication process preferably is implemented as a computer program in a WLAN device with a UIM such as the WLAN wireless communication device 130 with CDMA2000 credentials 110 shown in FIG. 1.
  • Step 701 starts the WLAN device authentication process at the WLAN device. The start step 701 is initiated by a WLAN device when requesting access to a WLAN network as described previously with reference to FIG. 1. Additionally, the start step 701 can be initiated by the WLAN network requesting re-authentication of the WLAN device as described previously with reference to FIG. 1. Generally, a WLAN network will re-authenticate WLAN devices and/or update the master key periodically as determined by the network operator. Preferably, all communications to and from the WLAN device are in accordance with the EAP/CDMA2000 protocol.
  • Upon initiating the authentication process, the WLAN device generates a random challenge RANDreq in step 703. Then it sends the challenge to the WLAN network in step 706. If the WLAN server has a valid master key, the flow will skip to step 785, which starts a WLAN network authentication. If the WLAN server does not have a valid master key for this WLAN device, then a full authentication occurs starting with step 710. See decision step 210 in FIG. 2 and accompanying text. The WLAN device receives a CDMA2000 global challenge from the WLAN network in step 710. Using its CDMA2000 credentials 110 shown in FIG. 1, the WLAN device formulates a response to the global challenge in step 720. The WLAN device then sends the response to the WLAN network in step 730. If the response to the global challenge is valid, the WLAN device receives a CDMA2000 unique challenge in step 740. Using its CDMA2000 credentials in the UIM of the WLAN device, the WLAN device formulates a response to the CDMA2000 unique challenge in step 750. Then in step 760, it sends the response to the CDMA2000 unique challenge to the WLAN network.
  • If the response to the CDMA2000 unique challenge is valid, the WLAN device will receive a “success” message in step 765 and the WLAN device generates a CDMA2000 encryption key in step 770. Preferably, the WLAN network encryption key is a signal encryption key (SMEKEY) that is conventionally generated from CDMA2000 credentials for signal encryption in a CDMA2000 network. In this situation, however, the SMEKEY is re-deployed for use as WLAN key material to generate a master key. From the encryption key, the WLAN device derives a master key in step 780 as previously described with reference to FIG. 2. Upon generating a master key, the WLAN device will receive a WLAN authentication challenge RANDch in step 785, and this message may also include a response to the random challenge RANDreq sent in step 706. The WLAN device uses the master key to verify the response to RANDreq from the network in step 789. If it is valid, then it uses the master key to calculate a response corresponding to the WLAN challenge RANDch in step 790. The response is sent to the WLAN network in step 795.
  • Using the master key, the WLAN device derives session keys in step 797 similar to the process previously described with reference to step 240 of FIG. 2. Upon authentication of WLAN device and generation of the session keys, the WLAN device authentication process ends in step 799, and the session keys can be used to protect communications between the WLAN access point and the WLAN device.
  • FIG. 8 is a functional block diagram of a WLAN device 800 according to a preferred embodiment. The WLAN device 800 generates a CDMA2000 encryption key, authenticates WLAN networks, and encrypts WLAN data. The WLAN device 800 has an antenna 899 and transceiver 890 for wireless communication.
  • In a CDMA2000 user identification module (UIM) 801, the CDMA2000 UIM generates and outputs a CDMA2000 encryption key, such as a SMEKEY. The UIM can be either a permanently installed UIM or a removable UIM (R-UIM). The WLAN device then generates a WLAN master key in a master key generation module 810, which is coupled to the UIM and receives the CDMA2000 encryption key and uses it as a basis for master key generation. A random number generator 805, coupled to the transceiver 890, WLAN authentication module 850, and session key derivation module 860, generates random challenge RANDreq. A WLAN authentication module 850, coupled to the master key generation module 810 and the transceiver 890, receives a challenge RANDch from the WLAN network and a network response to a previously generated challenge RANDreq, and it verifies the response to the previously generated challenge RANDreq from the WLAN network using its master key. If the response is valid, the WLAN authentication module 850 calculates a response to the WLAN challenge RANDch using the master key. The WLAN authentication module 850 then sends the response to the random challenge RANDch to the transceiver 890.
  • After the challenge and response is successfully performed, the session key derivation module 860, which is coupled to the WLAN authentication module 850 and the master key generation module 810, derives session keys from the master key. Communication protection module 870, which is coupled to the session key derivation module 860 and the transceiver 890, uses the session keys in data protection algorithms for communication protection.
  • Preferably, the modules are implemented as software running in a processor of the WLAN device and are directly or indirectly connected to the transceiver.
  • FIG. 9 is a flowchart 900 showing a process for converting CDMA2000 authentication protocol to a new extension of Extensible Authentication Protocol (EAP), called EAP/CDMA2000. Preferably a WLAN server such as the WLAN AAA server 150 shown in FIG. 1 performs this conversion process. The protocol is executed between a WLAN network and a WLAN device with CDMA credentials. The main messages of EAP are “request”, “response”, and “success” or “failure”. After the server sends a request message to the device, the device replies with a response message. A success or failure message indicates a successful or failed authentication. EAP/CDMA2000 enables a full authentication with both CDMA2000 global and unique challenges. It may also enable authentication using a valid WLAN master key with neither a global challenge nor a unique challenge but only the WLAN challenge and response.
  • EAP/CDMA2000 conversion starts in step 901. The WLAN server sends an EAP-request/identity in step 905. It then receives an EAP-response/identity and verifies it in step 910. Steps 905 and 910 are variants of known messages used in many EAP extensions.
  • In step 915, the WLAN server sends an EAP-request/CDMA2000/start message. The WLAN device recognizes the message as a new extension of EAP using CDMA credentials. The WLAN server receives an EAP-response/CDMA2000/start message from the WLAN device in step 920. The EAP-response/CDMA2000/start message may include embedded data RANDreq. RANDreq is a challenge from the WLAN device which the WLAN server saves for future use as described previously with reference to FIG. 6, step 610.
  • In step 925, the WLAN server generates a global challenge as specified in CDMA2000 and embeds the global challenge in an EAP-request/CDMA2000/Global message, before sending it. Then the WLAN server receives an EAP-response/CDMA2000/Global message in step 930. The WLAN server then fetches the response to the Global challenge from the message and verifies it. When SSD is not shared, verification will most likely require communication with a CDMA2000 authentication center. When SSD is shared, the WLAN server can verify without interacting with the CDMA2000 authentication center. This is shown and described with reference to FIG. 3. In step 935, if the response to the global challenge is not valid, step 980 sends an EAP failure message.
  • If the response to the global challenge is valid according to step 935, the WLAN server generates a CDMA2000 unique challenge by itself or receives a CDMA2000 unique challenge from a CDMA2000 authentication center in step 940. In either case, the CDMA2000 unique challenge is inserted to an EAP-request/CDMA2000/Unique message and sent. The WLAN server receives an EAP-response/CDMA2000/Unique message in step 945. The WLAN server fetches the response from the message and verifies it in accordance with FIG. 4 and the accompanying text. Preferably, the CDMA2000 authentication center is involved when SSD is not shared and the CDMA2000 authentication center is not involved when SSD is shared. If step 950 determines it is not a valid response, then the WLAN server sends an EAP failure message in step 980.
  • If step 950 determines the response is valid, in step 955 the WLAN server generates a random challenge RANDch, embeds it in an EAP-request/CDMA2000/Challenge message, and sends it. The message includes a response from the WLAN server to the challenge RANDreq received and saved in step 920. In step 965, the WLAN server receives an EAP-response/CDMA2000/Challenge message. The WLAN server fetches the response from the message and verifies it. If step 970 determines the response is valid, then the WLAN server sends an EAP success message and derives session keys in step 975. Otherwise, the WLAN server sends an EAP failure message in step 980. The method ends in step 999.
  • FIG. 10 is a flowchart showing a process 1000 for a shared secret data (SSD) update with a WLAN server converting an SSD update protocol to a new extension of Extensible Authentication Protocol (EAP) called EAP/CDMA2000. An SSD update is usually initiated by a CDMA2000 authentication center. A WLAN server executes an SSD update with a WLAN device to comply with a security policy of the CDMA2000 network and to maintain the interface with the CDMA2000 authentication center. After the process starts in step 1001, the protocol is generally triggered by a message from a CDMA2000 authentication center indicating an SSD update in step 1003. In step 1003, the WLAN server receives a random number RANDSSD for an SSD update.
  • The WLAN server then sends an EAP-request/identity message in step 1005. It receives an EAP-response/identity message and verifies it in step 1010. Steps 1005 and 1010 are messages common to all EAP extensions.
  • In step 1015, the WLAN server sends an EAP-request/CDMA2000/start message. The device recognizes the execution is an extension of EAP using CDMA credentials. The WLAN server receives an EAP-response/CDMA2000/start message in step 1020. The EAP-response/CDMA2000/start message may include data RANDreq. RANDreq is a challenge from the WLAN device. The WLAN server saves the RANDreq.
  • The SSD update is indicated by sending an EAP-request/CDMA2000/SSD message in step 1025. The random number RANDSSD received in step 1003 from the CDMA2000 authentication center is included in the EAP-request/CDMA2000/SSD message. The RANDSSD will be used to compute a new SSD at the device. The EAP-response/CDMA/SSD message received in step 1030 includes a random challenge RANDBS. This is a challenge from the device to the CDMA2000 network.
  • If the new SSD is not shared, then the WLAN server sends the random challenge RANDBS to the CDMA2000 authentication center in step 1035 and requests a response. It receives a response AUTHBS in step 1040 from the CDMA2000 authentication center. If the new SSD is shared, then steps 1035 and 1040 will be skipped. Instead, the WLAN server computes the response AUTHBS.
  • The response AUTHBS is included in an EAP-request/CDMA2000/SSDBS message and sent in step 1045. The received EAP-Response/CDMA2000/SSDBS message indicates a validation or invalidation of the response AUTHBS in step 1050.
  • The WLAN server may generate a CDMA2000 unique challenge itself or receive a CDMA2000 unique challenge from CDMA2000 authentication center in step 1050. In either case, the CDMA2000 unique challenge is inserted to an EAP-request/CDMA2000/Unique message and the message is sent in step 1055. In step 1060, the WLAN server receives an EAP-response/CDMA2000/Unique message. The WLAN server fetches the response from the message and verifies in accordance with FIG. 4 and the accompanying text. Preferably verification occurs with the CDMA2000 authentication center when the new SSD is not shared and verification is autonomous when the new SSD is shared. If step 1065 determines the response is not valid, the WLAN server sends an EAP failure message in step 1090 and the process ends in step 1099.
  • If the response is valid, in step 1070, the WLAN server generates a random challenge RANDch, embeds it in an EAP-request/CDMA2000/Challenge message and sends it. The message includes a response from the WLAN server to the challenge RANDreq received and saved in step 1020. In step 1075, the WLAN server receives an EAP-response/CDMA2000/Challenge message. The WLAN server fetches the response from the message and verifies it. If step 1080 determines the response to the random challenge is valid, then the WLAN server sends an EAP success message and derives session keys in step 1085 before successfully completing an SSD update in step 1099. Otherwise, the WLAN server sends an EAP failure message in step 1090 before the process ends in step 1099.
  • Note that the WLAN authentication process employs CDMA2000 device authentication only to the stage that a CDMA2000 encryption key is generated and a master key is formed in the device. This approach relieves the network from frequent interactions between the WLAN network and the CDMA2000 network. An advantage to this approach is that because a WLAN authentication server preferably converts the EAP/CDMA2000 protocol to an ANSI-41 protocol when communicating with the CDMA2000 authentication center, and conversely converts the ANSI-41 protocol to EAP/CDMA2000 protocol when communicating with the WLAN device, the WLAN device authentication process integrates easily into existing WLAN networks and CDMA2000 networks.
  • Thus, the system, method, and devices for authentication in a WLAN provide a system, method, and devices for using CDMA2000 credentials to authenticate WLAN devices. This process minimizes disruption of existing authentication processes for CDMA2000 and for WLAN and does not greatly increase network traffic. This process does not require any changes to the CDMA2000 credentials or the CDMA2000 authentication center.
  • While this disclosure includes what are considered presently to be the preferred embodiments and best modes of the invention described in a manner that establishes possession thereof by the inventors and that enables those of ordinary skill in the art to make and use the invention, it will be understood and appreciated that there are many equivalents to the preferred embodiments disclosed herein and that modifications and variations may be made without departing from the scope and spirit of the invention, which are to be limited not by the preferred embodiments but by the appended claims, including any amendments made during the pendency(?) of this application and all equivalents of those claims as issued.
  • The terms “a” or “an,” as used herein, are defined as one or more than one. The term “plurality,” as used herein, is defined as two or more than two. The term “another,” as used here, is defined as at least a second or more. The terms “including,” “comprising,” and/or “having,” as used herein, are defined as a non-exclusive inclusion (i.e., open language). The term “coupled,” as used herein, is defined as connected, although not necessarily directly and not necessarily mechanically.
  • The term “program”, as used herein, is defined as a sequence of instructions designed for execution on a computer system. A “program”, or “computer program”, may include a subroutine, a function, a procedure, an object method, an object implementation, in an executable application, an applet, a servlet, a source code, an object code, a shared library/dynamic load library and/or other sequence of instructions designed for execution on a computer system.
  • It is further understood that the use of relational terms such as first and second, top and bottom, and the like, if any, are used solely to distinguish one from another entity, item, or action without necessarily requiring or implying any actual such relationship or order between such entities, items or actions. Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs with minimal experimentation. Therefore, further discussion of such software, if any, will be limited in the interest of brevity and minimization of any risk of obscuring the principles and concepts according to the present invention.

Claims (34)

1. A system comprising:
a CDMA2000 authentication center, for authenticating CDMA2000 credentials;
a wireless local area network (WLAN) authentication server, coupled to the CDMA2000 authentication center, for using CDMA2000 credentials to authenticate WLAN devices holding CDMA2000 credentials; and
at least one WLAN device holding CDMA2000 credentials, coupled to the WLAN authentication server.
2. A system in accordance with claim 1, further comprising:
a WLAN access point, coupled to the WLAN authentication server and wirelessly coupled to the at least one WLAN device holding CDMA2000 credentials.
3. A system according to claim 1, wherein the WLAN authentication server communicates with the CDMA2000 authentication center using an ANSI-41 protocol.
4. A system according to claim 1, wherein the WLAN authentication server communicates with the at least one WLAN device holding CDMA2000 credentials using an extension of Extensible Authentication Protocol (EAP).
5. A method for a wireless local access network (WLAN) server to authenticate a WLAN device using CDMA2000 credentials, comprising the steps of:
performing a CDMA2000 global challenge and response with the WLAN device;
verifying the CDMA2000 global challenge and response;
performing a CDMA2000 unique challenge and response with the WLAN device;
verifying the CDMA2000 unique challenge and response; and
obtaining a CDMA2000 encryption key.
6. A method according to claim 5, wherein the CDMA2000 encryption key is a signal encryption key.
7. A method according to claim 5, further comprising the step of:
deriving a master key from the CDMA2000 encryption key.
8. A method according to claim 7, further comprising the steps of:
performing a WLAN challenge and response with the WLAN device;
verifying the WLAN challenge and response; and
deriving session keys from the master key.
9. A method in accordance with claim 8, wherein the step of performing a WLAN challenge and response with the WLAN device comprises the steps of:
receiving a random challenge RANDreq from the WLAN device;
formatting a response to the random challenge RANDreq;
generating a random challenge RANDch;
sending the random challenge RANDch to the WLAN device;
sending the response to the random challenge RANDreq to the WLAN device; and
receiving a response to the random challenge RANDch from the WLAN device.
10. A method in accordance with claim 8, further comprising the step of:
using the session keys to protect communications between the WLAN and the WLAN device.
11. A method in accordance with claim 5, wherein the step of verifying the global challenge and response comprises the steps of:
determining if a CDMA2000 authentication center shares shared secret data (SSD) with the WLAN server;
sending the global challenge and response to the CDMA2000 authentication center, if the CDMA2000 authentication center does not share SSD with the WLAN server; and
receiving a response from the CDMA2000 authentication center, if the CDMA2000 authentication center does not share SSD with the WLAN server.
12. A method in accordance with claim 5, wherein the step of verifying the CDMA2000 global challenge and response comprises the steps of:
determining if a CDMA2000 authentication center shares shared secret data (SSD) with the WLAN server; and
verifying the global challenge and response autonomously, if the CDMA2000 authentication center does share SSD with the WLAN server.
13. A method in accordance with claim 5, wherein the step of performing a CDMA2000 unique challenge and response comprises the steps of:
determining if a CDMA2000 authentication center shares shared secret data (SSD) with the WLAN server;
receiving a unique challenge and response from the CDMA2000 authentication center, if the CDMA2000 authentication center does not share SSD with the WLAN server;
sending the unique challenge to the WLAN device;
receiving a response to the unique challenge from the WLAN device; and
comparing the response from the WLAN device to the response from the CDMA2000 authentication center.
14. A method in accordance with claim 5, wherein the step of performing a unique challenge and response comprises the steps of:
determining if a CDMA2000 authentication center shares shared secret data (SSD) with the WLAN server;
generating a unique challenge, if the CDMA2000 authentication center does share SSD with the WLAN server;
sending the unique challenge to the WLAN device;
receiving a response to the unique challenge from the WLAN device; and
verifying the response from the WLAN device.
15. A method for a wireless local access network (WLAN) server to authenticate a WLAN device using CDMA2000 credentials comprising the steps of:
determining if the WLAN server has a valid master key for the WLAN device;
performing a WLAN challenge and response with the WLAN device, if there is a valid master key for the WLAN device;
verifying the WLAN challenge and response; and
deriving session keys from the master key.
16. A method in accordance with claim 15, further comprising the step of:
using the session keys to protect communications between the WLAN and the WLAN device.
17. A method in accordance with claim 15, wherein the WLAN server does not communicate with a CDMA2000 authentication center.
18. A method in accordance with claim 15, further comprising the steps of:
performing a global challenge and response with the WLAN device, if there is not a valid master key for the WLAN device;
verifying the global challenge and response;
performing a unique challenge and response with the WLAN device; and
verifying the unique challenge and response.
19. A method in accordance with claim 18, wherein the step of performing a global challenge and response with the WLAN device comprises the steps of:
obtaining the global challenge;
inserting the global challenge into an extension of Extensible Authentication Protocol (EAP) request message;
sending the EAP request message;
receiving an EAP response message; and
fetching a response to the global challenge from the EAP response message.
20. A method in accordance with claim 18, wherein the step of performing a unique challenge and response with the WLAN device comprises the steps of:
obtaining the unique challenge;
inserting the unique challenge into an extension of Extensible Authentication Protocol (EAP) request message;
sending the EAP request message;
receiving an EAP response message; and
fetching a response to the unique challenge from the EAP response message.
21. A method in accordance with claim 18, further comprising the steps of:
obtaining a CDMA2000 encryption key;
deriving a master key from the CDMA2000 encryption key;
performing a WLAN challenge and response with the WLAN device; and
verifying the WLAN challenge and response.
22. A method in accordance with claim 21, wherein the step of performing a WLAN challenge and response with the WLAN device comprises the steps of:
generating a WLAN challenge;
inserting the WLAN challenge into an extension of Extensible Authentication Protocol (EAP) request message;
sending the EAP request message;
receiving an EAP response message; and
fetching a response to the WLAN challenge from the EAP response message.
23. A method in accordance with claim 21, further comprising the steps of:
deriving session keys from the master key; and
using the session keys to protect communications between the WLAN and the WLAN device.
24. A method in accordance with claim 15, wherein there is not a valid master key for the WLAN device when the WLAN server initiates an update to the master key.
25. A method in accordance with claim 15, wherein the WLAN server authenticates the WLAN device using an extension of Extensible Authentication Protocol (EAP).
26. A method for a wireless local access network (WLAN) server to update shared secret data (SSD) in a WLAN device using CDMA2000 credentials, comprising the steps of:
receiving an SSD update request from a CDMA2000 authentication center;
performing an SSD update with the WLAN device;
obtaining a CDMA2000 encryption key;
deriving a master key from the CDMA2000 encryption key;
performing a WLAN challenge and response with the WLAN device;
verifying the WLAN challenge and response; and
deriving session keys from the master key.
27. A method in accordance with claim 26, wherein the WLAN server performs the SSD update with the WLAN device using an extension of Extensible Authentication Protocol (EAP).
28. A wireless local area network (WLAN) device having a wireless transceiver comprising:
a CDMA2000 user identifier module (UIM), for storing CDMA2000 credentials and generating a CDMA2000 encryption key;
a random number generator, coupled to the wireless transceiver, for generating a random challenge;
a master key generation module, coupled to the UIM, for deriving a WLAN master key from the CDMA2000 encryption key;
a WLAN authentication module, coupled to the random number generator, the master key generation module, and the wireless transceiver, for responding to a challenge from a WLAN server;
a session key derivation module, coupled to the random number generator, the WLAN authentication module, and the master key generation module, to derive session keys from the master key; and
a communication protection module, coupled to the session key derivation module and the wireless transceiver, to apply protection to WLAN data using the session keys.
29. A method according to claim 28, wherein the CDMA2000 encryption key is a signal encryption key.
30. A method for a wireless local access network (WLAN) device using CDMA2000 credentials to authenticate with a WLAN server, comprising the steps of:
receiving a global challenge from the WLAN server;
formulating a response to the global challenge;
sending the global challenge to the WLAN server;
receiving a unique challenge from the WLAN server;
formulating a response to the unique challenge;
sending the unique challenge to the WLAN server;
generating a CDMA2000 encryption key; and
deriving a master key from the CDMA2000 encryption key.
31. A method according to claim 30, further comprising the steps of:
receiving a WLAN challenge from the WLAN server;
formulating a response to the WLAN challenge;
sending the response to the WLAN server; and
deriving session keys from the master key.
32. A method in accordance with claim 31, further comprising the step of:
using the session keys to protect communications between the WLAN and the WLAN device.
33. A method in accordance with claim 30, further comprising the steps of:
generating a random challenge and sending the random challenge to the WLAN server.
34. A method in accordance with claim 33, further comprising the step of:
receiving a response to the random challenge from the WLAN server; and
verifying the response to the random challenge.
US10/741,408 2003-12-19 2003-12-19 System, method and devices for authentication in a wireless local area network (WLAN) Abandoned US20050138355A1 (en)

Priority Applications (7)

Application Number Priority Date Filing Date Title
US10/741,408 US20050138355A1 (en) 2003-12-19 2003-12-19 System, method and devices for authentication in a wireless local area network (WLAN)
KR1020067011997A KR20060123345A (en) 2003-12-19 2004-12-08 System, method, and devices for authentication in a wireless local area network(wlan)
PCT/US2004/041075 WO2005065132A2 (en) 2003-12-19 2004-12-08 System, method, and devices for authentication in a wireless local area network (wlan)
BRPI0417840-8A BRPI0417840A (en) 2003-12-19 2004-12-08 system, method, and devices for authentication to a wireless local area network (wlan)
JP2006545742A JP2007522695A (en) 2003-12-19 2004-12-08 System, method, and device for authentication in a wireless local area network (WLAN)
RU2006126074/09A RU2006126074A (en) 2003-12-19 2004-12-08 SYSTEM, METHOD AND DEVICES FOR AUTHENTICATION IN A WIRELESS LOCAL COMPUTER NETWORK (WLAN)
CNA2004800375952A CN101120534A (en) 2003-12-19 2004-12-08 System, method and devices for authentication in a wireless local area network (wlan)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/741,408 US20050138355A1 (en) 2003-12-19 2003-12-19 System, method and devices for authentication in a wireless local area network (WLAN)

Publications (1)

Publication Number Publication Date
US20050138355A1 true US20050138355A1 (en) 2005-06-23

Family

ID=34678146

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/741,408 Abandoned US20050138355A1 (en) 2003-12-19 2003-12-19 System, method and devices for authentication in a wireless local area network (WLAN)

Country Status (7)

Country Link
US (1) US20050138355A1 (en)
JP (1) JP2007522695A (en)
KR (1) KR20060123345A (en)
CN (1) CN101120534A (en)
BR (1) BRPI0417840A (en)
RU (1) RU2006126074A (en)
WO (1) WO2005065132A2 (en)

Cited By (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050025091A1 (en) * 2002-11-22 2005-02-03 Cisco Technology, Inc. Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US20050198489A1 (en) * 2003-12-24 2005-09-08 Apple Computer, Inc. Server computer issued credential authentication
US20050254656A1 (en) * 2004-03-18 2005-11-17 Qualcomm Incorporated Efficient transmission of cryptographic information in secure real time protocol
US20050272406A1 (en) * 2004-06-04 2005-12-08 Lucent Technologies, Inc. Self-synchronizing authentication and key agreement protocol
US20060072759A1 (en) * 2004-09-27 2006-04-06 Cisco Technology, Inc. Methods and apparatus for bootstrapping mobile-foreign and foreign-home authentication keys in mobile IP
US20060075242A1 (en) * 2004-10-01 2006-04-06 Selim Aissi System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
US20060104247A1 (en) * 2004-11-17 2006-05-18 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US20060205386A1 (en) * 2005-03-11 2006-09-14 Lei Yu Method and apparatus for providing encryption and integrity key set-up
US20060212511A1 (en) * 2005-02-23 2006-09-21 Nokia Corporation System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
US20060224892A1 (en) * 2005-04-04 2006-10-05 Research In Motion Limited Securing a link between two devices
US20070064947A1 (en) * 2005-09-22 2007-03-22 Konica Minolta Technology U.S.A., Inc. Wireless communication authentication process and system
US20070091843A1 (en) * 2005-10-25 2007-04-26 Cisco Technology, Inc. EAP/SIM authentication for Mobile IP to leverage GSM/SIM authentication infrastructure
KR100770928B1 (en) 2005-07-02 2007-10-26 삼성전자주식회사 Authentication system and method thereofin a communication system
US20070266247A1 (en) * 2006-05-12 2007-11-15 Research In Motion Limited System and method for exchanging encryption keys between a mobile device and a peripheral output device
US20070269048A1 (en) * 2004-08-06 2007-11-22 Hsu Raymond T Key generation in a communication system
WO2007138060A1 (en) 2006-06-01 2007-12-06 Nokia Siemens Networks Gmbh & Co. Kg Method and system for providing a mesh key
WO2008080353A1 (en) * 2006-12-29 2008-07-10 China Iwncomm Co., Ltd. A wlan operation method based on wapi
US7515901B1 (en) * 2004-02-25 2009-04-07 Sun Microsystems, Inc. Methods and apparatus for authenticating devices in a network environment
US20090191844A1 (en) * 2007-10-04 2009-07-30 Morgan Todd C Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US20090190562A1 (en) * 2003-09-26 2009-07-30 Samsung Electronics Co., Ltd. Hrpd network access authentication method based on cave algorithm
CN101816200A (en) * 2007-10-04 2010-08-25 朗讯科技公司 Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US7870389B1 (en) 2002-12-24 2011-01-11 Cisco Technology, Inc. Methods and apparatus for authenticating mobility entities using kerberos
US20110107087A1 (en) * 2009-11-04 2011-05-05 Samsung Electronics Co. Ltd. Apparatus and method for refreshing master session key in wireless communication system
US20110167272A1 (en) * 2010-01-06 2011-07-07 Kolesnikov Vladimir Y Secure Multi-UIM aka key exchange
US20110208968A1 (en) * 2010-02-24 2011-08-25 Buffalo Inc. Wireless lan device, wireless lan system, and communication method for relaying packet
WO2012141555A2 (en) * 2011-04-15 2012-10-18 Samsung Electronics Co., Ltd. Method and apparatus for providing machine-to-machine service
US8375207B2 (en) * 2007-08-21 2013-02-12 Motorola Solutions, Inc. Method and apparatus for authenticating a network device
US20130291071A1 (en) * 2011-01-17 2013-10-31 Telefonaktiebolaget L M Ericsson (Publ) Method and Apparatus for Authenticating a Communication Device
US8630414B2 (en) 2002-06-20 2014-01-14 Qualcomm Incorporated Inter-working function for a communication system
CN104159255A (en) * 2014-08-11 2014-11-19 小米科技有限责任公司 Method of sharing network among terminals and device
US20150095989A1 (en) * 2013-09-29 2015-04-02 Alibaba Group Holding Limited Managing sharing of wireless network login passwords
US20150121074A1 (en) * 2008-05-27 2015-04-30 Intel Corporation Methods and apparatus for protecting digital content
US20150163215A1 (en) * 2013-04-17 2015-06-11 Tencent Technology (Shenzhen) Company Limited Method and Apparatus for Upgrading Open Authentication (OAUTH) Credentials
US9071426B2 (en) 2005-04-04 2015-06-30 Blackberry Limited Generating a symmetric key to secure a communication link
EP3328106A4 (en) * 2015-08-11 2018-08-29 Huawei Technologies Co., Ltd. Access verification method and apparatus
CN111800788A (en) * 2020-09-08 2020-10-20 全讯汇聚网络科技(北京)有限公司 Method, terminal and system for Wi-Fi connection management

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8145905B2 (en) * 2007-05-07 2012-03-27 Qualcomm Incorporated Method and apparatus for efficient support for multiple authentications
EP2245829B1 (en) * 2008-01-18 2016-01-06 InterDigital Patent Holdings, Inc. Method for enabling machine to machine communication
US20090282251A1 (en) * 2008-05-06 2009-11-12 Qualcomm Incorporated Authenticating a wireless device in a visited network
AR076087A1 (en) 2009-03-05 2011-05-18 Interdigital Patent Holdings METHOD AND APPLIANCE FOR H (E) VERIFICATION OF INTEGRITY NB AND VALIDATION
CN102342142A (en) 2009-03-06 2012-02-01 交互数字专利控股公司 Platform validation and management of wireless devices
CN101998406B (en) * 2009-08-31 2013-01-16 中国移动通信集团公司 WLAN access authentication based method for accessing services
EP2475194B1 (en) * 2009-08-31 2018-12-19 China Mobile Communications Corporation Service access method, system and device based on wlan access authentication
US8914674B2 (en) 2010-11-05 2014-12-16 Interdigital Patent Holdings, Inc. Device validation, distress indication, and remediation
CN103596121B (en) * 2013-10-30 2016-08-17 北京网河时代科技有限公司 The flow sharing method of Wireless Mobile Networks
CN103747096A (en) * 2014-01-21 2014-04-23 华为技术有限公司 Scheme for sharing traffic between terminals
CN105657635B (en) * 2014-11-28 2019-08-02 广州市动景计算机科技有限公司 Terminal flow sharing method and system

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5455863A (en) * 1993-06-29 1995-10-03 Motorola, Inc. Method and apparatus for efficient real-time authentication and encryption in a communication system
US5991407A (en) * 1995-10-17 1999-11-23 Nokia Telecommunications Oy Subscriber authentication in a mobile communications system
US6014085A (en) * 1997-10-27 2000-01-11 Lucent Technologies Inc. Strengthening the authentication protocol
US6173174B1 (en) * 1997-01-11 2001-01-09 Compaq Computer Corporation Method and apparatus for automated SSD updates on an a-key entry in a mobile telephone system
US6236852B1 (en) * 1998-12-11 2001-05-22 Nortel Networks Limited Authentication failure trigger method and apparatus
US20020012433A1 (en) * 2000-03-31 2002-01-31 Nokia Corporation Authentication in a packet data network
US6397056B1 (en) * 1999-04-30 2002-05-28 Telefonaktiebolaget L M Ericsson (Publ) System and method for reducing network signaling load in a radio telecommunications network
US20020146127A1 (en) * 2001-04-05 2002-10-10 Marcus Wong System and method for providing secure communications between wireless units using a common key
US20030045271A1 (en) * 2001-08-30 2003-03-06 Carey Christopher P. Method for reducing fraudulent system access
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US6584310B1 (en) * 1998-05-07 2003-06-24 Lucent Technologies Inc. Method and apparatus for performing authentication in communication systems
US20030120920A1 (en) * 2001-12-20 2003-06-26 Svensson Sven Anders Borje Remote device authentication
US20030134636A1 (en) * 2002-01-02 2003-07-17 Rangamani Sundar Method, system, and apparatus for a mobile station to sense and select a wireless local area network (WLAN) or a wide area mobile wireless network (WWAN)
US20030139180A1 (en) * 2002-01-24 2003-07-24 Mcintosh Chris P. Private cellular network with a public network interface and a wireless local area network extension
US20030166398A1 (en) * 2002-03-04 2003-09-04 Eran Netanel Method and apparatus for secure immediate wireless access in a telecommunications network
US6668166B1 (en) * 1999-06-23 2003-12-23 Lucent Technologies Inc. Apparatus and method for mobile authentication employing international mobile subscriber identity
US6839434B1 (en) * 1999-07-28 2005-01-04 Lucent Technologies Inc. Method and apparatus for performing a key update using bidirectional validation
US20050113067A1 (en) * 2003-09-12 2005-05-26 Michael Marcovici Authenticating access to a wireless local area network based on security value(s) associated with a cellular system
US6918035B1 (en) * 1998-07-31 2005-07-12 Lucent Technologies Inc. Method for two-party authentication and key agreement
US20060004643A1 (en) * 2002-08-16 2006-01-05 Togewa Holding Ag Method and system for gsm billing during wlan roaming
US7181196B2 (en) * 2003-05-15 2007-02-20 Lucent Technologies Inc. Performing authentication in a communications system

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5455863A (en) * 1993-06-29 1995-10-03 Motorola, Inc. Method and apparatus for efficient real-time authentication and encryption in a communication system
US5991407A (en) * 1995-10-17 1999-11-23 Nokia Telecommunications Oy Subscriber authentication in a mobile communications system
US6173174B1 (en) * 1997-01-11 2001-01-09 Compaq Computer Corporation Method and apparatus for automated SSD updates on an a-key entry in a mobile telephone system
US6014085A (en) * 1997-10-27 2000-01-11 Lucent Technologies Inc. Strengthening the authentication protocol
US6584310B1 (en) * 1998-05-07 2003-06-24 Lucent Technologies Inc. Method and apparatus for performing authentication in communication systems
US6918035B1 (en) * 1998-07-31 2005-07-12 Lucent Technologies Inc. Method for two-party authentication and key agreement
US6236852B1 (en) * 1998-12-11 2001-05-22 Nortel Networks Limited Authentication failure trigger method and apparatus
US6397056B1 (en) * 1999-04-30 2002-05-28 Telefonaktiebolaget L M Ericsson (Publ) System and method for reducing network signaling load in a radio telecommunications network
US6668166B1 (en) * 1999-06-23 2003-12-23 Lucent Technologies Inc. Apparatus and method for mobile authentication employing international mobile subscriber identity
US6839434B1 (en) * 1999-07-28 2005-01-04 Lucent Technologies Inc. Method and apparatus for performing a key update using bidirectional validation
US20020012433A1 (en) * 2000-03-31 2002-01-31 Nokia Corporation Authentication in a packet data network
US20020146127A1 (en) * 2001-04-05 2002-10-10 Marcus Wong System and method for providing secure communications between wireless units using a common key
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20030045271A1 (en) * 2001-08-30 2003-03-06 Carey Christopher P. Method for reducing fraudulent system access
US20030120920A1 (en) * 2001-12-20 2003-06-26 Svensson Sven Anders Borje Remote device authentication
US20030134636A1 (en) * 2002-01-02 2003-07-17 Rangamani Sundar Method, system, and apparatus for a mobile station to sense and select a wireless local area network (WLAN) or a wide area mobile wireless network (WWAN)
US20030139180A1 (en) * 2002-01-24 2003-07-24 Mcintosh Chris P. Private cellular network with a public network interface and a wireless local area network extension
US20030166398A1 (en) * 2002-03-04 2003-09-04 Eran Netanel Method and apparatus for secure immediate wireless access in a telecommunications network
US20060004643A1 (en) * 2002-08-16 2006-01-05 Togewa Holding Ag Method and system for gsm billing during wlan roaming
US7181196B2 (en) * 2003-05-15 2007-02-20 Lucent Technologies Inc. Performing authentication in a communications system
US20050113067A1 (en) * 2003-09-12 2005-05-26 Michael Marcovici Authenticating access to a wireless local area network based on security value(s) associated with a cellular system

Cited By (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8630414B2 (en) 2002-06-20 2014-01-14 Qualcomm Incorporated Inter-working function for a communication system
US7475241B2 (en) 2002-11-22 2009-01-06 Cisco Technology, Inc. Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US20050025091A1 (en) * 2002-11-22 2005-02-03 Cisco Technology, Inc. Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US7870389B1 (en) 2002-12-24 2011-01-11 Cisco Technology, Inc. Methods and apparatus for authenticating mobility entities using kerberos
US7990930B2 (en) * 2003-09-26 2011-08-02 Samsung Electronics Co., Ltd. HRPD network access authentication method based on cave algorithm
US20090190562A1 (en) * 2003-09-26 2009-07-30 Samsung Electronics Co., Ltd. Hrpd network access authentication method based on cave algorithm
US20050198489A1 (en) * 2003-12-24 2005-09-08 Apple Computer, Inc. Server computer issued credential authentication
US7735120B2 (en) * 2003-12-24 2010-06-08 Apple Inc. Server computer issued credential authentication
US20100299729A1 (en) * 2003-12-24 2010-11-25 Apple Inc. Server Computer Issued Credential Authentication
US7515901B1 (en) * 2004-02-25 2009-04-07 Sun Microsystems, Inc. Methods and apparatus for authenticating devices in a network environment
US8867745B2 (en) * 2004-03-18 2014-10-21 Qualcomm Incorporated Efficient transmission of cryptographic information in secure real time protocol
US20050254656A1 (en) * 2004-03-18 2005-11-17 Qualcomm Incorporated Efficient transmission of cryptographic information in secure real time protocol
US8526914B2 (en) * 2004-06-04 2013-09-03 Alcatel Lucent Self-synchronizing authentication and key agreement protocol
US20050272406A1 (en) * 2004-06-04 2005-12-08 Lucent Technologies, Inc. Self-synchronizing authentication and key agreement protocol
US20070269048A1 (en) * 2004-08-06 2007-11-22 Hsu Raymond T Key generation in a communication system
US8094821B2 (en) * 2004-08-06 2012-01-10 Qualcomm Incorporated Key generation in a communication system
US7639802B2 (en) 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US20100166179A1 (en) * 2004-09-27 2010-07-01 Cisco Technology, Inc. Methods and apparatus for bootstrapping mobile-foreign and foreign-home authentication keys in mobile ip
US20060072759A1 (en) * 2004-09-27 2006-04-06 Cisco Technology, Inc. Methods and apparatus for bootstrapping mobile-foreign and foreign-home authentication keys in mobile IP
US8165290B2 (en) 2004-09-27 2012-04-24 Cisco Technology, Inc. Methods and apparatus for bootstrapping mobile-foreign and foreign-home authentication keys in mobile IP
US9713008B2 (en) 2004-10-01 2017-07-18 Intel Corporation System and method for user certificate initiation, distribution and provisioning in converged WLAN-WWAN interworking networks
US9282455B2 (en) * 2004-10-01 2016-03-08 Intel Corporation System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
US20060075242A1 (en) * 2004-10-01 2006-04-06 Selim Aissi System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
US7502331B2 (en) 2004-11-17 2009-03-10 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US20060104247A1 (en) * 2004-11-17 2006-05-18 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US20090144809A1 (en) * 2004-11-17 2009-06-04 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US8584207B2 (en) 2004-11-17 2013-11-12 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US7865602B2 (en) * 2005-02-23 2011-01-04 Nokia Siemens Networks Oy System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
US20060212511A1 (en) * 2005-02-23 2006-09-21 Nokia Corporation System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
US20060205386A1 (en) * 2005-03-11 2006-09-14 Lei Yu Method and apparatus for providing encryption and integrity key set-up
US20060224892A1 (en) * 2005-04-04 2006-10-05 Research In Motion Limited Securing a link between two devices
US9071426B2 (en) 2005-04-04 2015-06-30 Blackberry Limited Generating a symmetric key to secure a communication link
US9143323B2 (en) * 2005-04-04 2015-09-22 Blackberry Limited Securing a link between two devices
US7724904B2 (en) 2005-07-02 2010-05-25 Samsung Electronics Co., Ltd Authentication system and method thereof in a communication system
KR100770928B1 (en) 2005-07-02 2007-10-26 삼성전자주식회사 Authentication system and method thereofin a communication system
US7627124B2 (en) 2005-09-22 2009-12-01 Konica Minolta Technology U.S.A., Inc. Wireless communication authentication process and system
US20070064947A1 (en) * 2005-09-22 2007-03-22 Konica Minolta Technology U.S.A., Inc. Wireless communication authentication process and system
US7626963B2 (en) * 2005-10-25 2009-12-01 Cisco Technology, Inc. EAP/SIM authentication for mobile IP to leverage GSM/SIM authentication infrastructure
US20070091843A1 (en) * 2005-10-25 2007-04-26 Cisco Technology, Inc. EAP/SIM authentication for Mobile IP to leverage GSM/SIM authentication infrastructure
US8670566B2 (en) 2006-05-12 2014-03-11 Blackberry Limited System and method for exchanging encryption keys between a mobile device and a peripheral output device
US20070266247A1 (en) * 2006-05-12 2007-11-15 Research In Motion Limited System and method for exchanging encryption keys between a mobile device and a peripheral output device
WO2007138060A1 (en) 2006-06-01 2007-12-06 Nokia Siemens Networks Gmbh & Co. Kg Method and system for providing a mesh key
US8959333B2 (en) 2006-06-01 2015-02-17 Nokia Siemens Networks Gmbh & Co. Kg Method and system for providing a mesh key
US20090307483A1 (en) * 2006-06-01 2009-12-10 Nokia Siemens Networks Gmbh & Co.Kg Method and system for providing a mesh key
WO2008080353A1 (en) * 2006-12-29 2008-07-10 China Iwncomm Co., Ltd. A wlan operation method based on wapi
US8375207B2 (en) * 2007-08-21 2013-02-12 Motorola Solutions, Inc. Method and apparatus for authenticating a network device
CN101816200A (en) * 2007-10-04 2010-08-25 朗讯科技公司 Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US8428554B2 (en) * 2007-10-04 2013-04-23 Alcatel Lucent Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US20090191844A1 (en) * 2007-10-04 2009-07-30 Morgan Todd C Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
CN103220671A (en) * 2007-10-04 2013-07-24 朗讯科技公司 Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US20120184249A1 (en) * 2008-01-25 2012-07-19 Morgan Todd C Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US8457597B2 (en) * 2008-01-25 2013-06-04 Alcatel Lucent Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
US10164947B2 (en) * 2008-05-27 2018-12-25 Intel Corporation Methods and apparatus for protecting digital content
US20150121074A1 (en) * 2008-05-27 2015-04-30 Intel Corporation Methods and apparatus for protecting digital content
US20110107087A1 (en) * 2009-11-04 2011-05-05 Samsung Electronics Co. Ltd. Apparatus and method for refreshing master session key in wireless communication system
US20110167272A1 (en) * 2010-01-06 2011-07-07 Kolesnikov Vladimir Y Secure Multi-UIM aka key exchange
US8296836B2 (en) * 2010-01-06 2012-10-23 Alcatel Lucent Secure multi-user identity module key exchange
US20110208968A1 (en) * 2010-02-24 2011-08-25 Buffalo Inc. Wireless lan device, wireless lan system, and communication method for relaying packet
US8428263B2 (en) * 2010-02-24 2013-04-23 Buffalo Inc. Wireless LAN device, wireless LAN system, and communication method for relaying packet
US20130291071A1 (en) * 2011-01-17 2013-10-31 Telefonaktiebolaget L M Ericsson (Publ) Method and Apparatus for Authenticating a Communication Device
US9253178B2 (en) * 2011-01-17 2016-02-02 Telefonaktiebolaget L M Ericsson Method and apparatus for authenticating a communication device
WO2012141555A2 (en) * 2011-04-15 2012-10-18 Samsung Electronics Co., Ltd. Method and apparatus for providing machine-to-machine service
US9317688B2 (en) 2011-04-15 2016-04-19 Samsung Electronics Co., Ltd. Method and apparatus for providing machine-to-machine service
WO2012141555A3 (en) * 2011-04-15 2013-03-14 Samsung Electronics Co., Ltd. Method and apparatus for providing machine-to-machine service
US20150163215A1 (en) * 2013-04-17 2015-06-11 Tencent Technology (Shenzhen) Company Limited Method and Apparatus for Upgrading Open Authentication (OAUTH) Credentials
US9270669B2 (en) * 2013-09-29 2016-02-23 Alibaba Group Holding Limited Managing sharing of wireless network login passwords
US20160205087A1 (en) * 2013-09-29 2016-07-14 Alibaba Group Holding Limited Managing sharing of wireless network login passwords
US9596232B2 (en) * 2013-09-29 2017-03-14 Alibaba Group Holding Limited Managing sharing of wireless network login passwords
TWI608743B (en) * 2013-09-29 2017-12-11 Alibaba Group Services Ltd Method, server and system for managing wireless network login password sharing function
US20150095989A1 (en) * 2013-09-29 2015-04-02 Alibaba Group Holding Limited Managing sharing of wireless network login passwords
CN104159255A (en) * 2014-08-11 2014-11-19 小米科技有限责任公司 Method of sharing network among terminals and device
EP3328106A4 (en) * 2015-08-11 2018-08-29 Huawei Technologies Co., Ltd. Access verification method and apparatus
CN111800788A (en) * 2020-09-08 2020-10-20 全讯汇聚网络科技(北京)有限公司 Method, terminal and system for Wi-Fi connection management

Also Published As

Publication number Publication date
WO2005065132B1 (en) 2007-11-01
BRPI0417840A (en) 2007-04-27
RU2006126074A (en) 2008-01-27
CN101120534A (en) 2008-02-06
WO2005065132A2 (en) 2005-07-21
JP2007522695A (en) 2007-08-09
WO2005065132A3 (en) 2007-09-13
KR20060123345A (en) 2006-12-01

Similar Documents

Publication Publication Date Title
US20050138355A1 (en) System, method and devices for authentication in a wireless local area network (WLAN)
US10849191B2 (en) Unified authentication for heterogeneous networks
US9467432B2 (en) Method and device for generating local interface key
US8379854B2 (en) Secure wireless communication
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
KR101124780B1 (en) Method of establishing authentication keys and secure wireless communication
US9668139B2 (en) Secure negotiation of authentication capabilities
US10880291B2 (en) Mobile identity for single sign-on (SSO) in enterprise networks
US8881235B2 (en) Service-based authentication to a network
KR100755394B1 (en) Method for fast re-authentication in umts for umts-wlan handover
US20050271209A1 (en) AKA sequence number for replay protection in EAP-AKA authentication
KR100907825B1 (en) Authentication method for roaming in heterogeneous wireless interworking system
US8705734B2 (en) Method and system for authenticating a mobile terminal in a wireless communication system

Legal Events

Date Code Title Description
AS Assignment

Owner name: MOTOROLA, INC., ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, LIDONG;PAZHYANNUR, RAJESH S.;REEL/FRAME:014702/0852

Effective date: 20040526

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION